b15eb0a6d12b8a30206f70aaa15b2813d144e5fdd687056e39003055de05fb3e

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 10:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe
Size

3.9MB
MD5

dab39ab1f9b537a61f87c5d648b8b260
SHA1

a2b29500ba83084d29618afef96021cb4ac3d8db
SHA256

b15eb0a6d12b8a30206f70aaa15b2813d144e5fdd687056e39003055de05fb3e
SHA512

b335e93783295a9f4b0c8f37a5cca8e1f2b5f9f303e4965e62ecceed44b00a8cbd401f6b11daa49a7c5e4e2b98ec6e380d66248f9dab160bf28fae958d46cc38
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	sysxdob.exe
2708	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe
2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint27\\optixsys.exe"	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBN\\devdobsys.exe"	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe
2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe
3068	sysxdob.exe
2708	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3068	2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe	28
PID 2828 wrote to memory of 3068	2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe	28
PID 2828 wrote to memory of 3068	2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe	28
PID 2828 wrote to memory of 3068	2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe	28
PID 2828 wrote to memory of 2708	2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe	29
PID 2828 wrote to memory of 2708	2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe	29
PID 2828 wrote to memory of 2708	2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe	29
PID 2828 wrote to memory of 2708	2828	dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dab39ab1f9b537a61f87c5d648b8b260_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\SysDrvBN\devdobsys.exe
  C:\SysDrvBN\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint27\optixsys.exe

Filesize
3.9MB

MD5
96839506eac705063a6dbd1091bcbd22

SHA1
d9479605155198155f662bf3f571a18ab8dcd611

SHA256
99f9746f64e3767dafe8d44ce8877f42f5fa54c666bdaff6b242a2665c405d1f

SHA512
49645e9f7d2843c6685853058ae87ba5c75fc24fb5f94045067c38f705f974466f1506b1a4c8270f4ac2a7897fdf4e2e3886ce9df5683e3f74bb44580c1094b9

Download Submit
C:\Mint27\optixsys.exe

Filesize
108KB

MD5
055906b83cf23db4f92486d258cdbad0

SHA1
5558b72ae663f8c39a992b034b43802d85e2b330

SHA256
713562f5876af408819e52b17606e3d7eb5c6cc91e38fe61fc6e87ec2415f492

SHA512
c145c68fdb7b9655851302e1a05ad83472fc8deb008435ce0e94a268a71d6f0a0be86a34c0744cff22369fd2d6cf1998bad20857ce6f3c0b296b34d4c743d21f

Download Submit
C:\SysDrvBN\devdobsys.exe

Filesize
3.9MB

MD5
f44e67915dbfca5e3557f3821e5d80be

SHA1
edb758edc2ad51682f7e5b6c3a856a663423bac5

SHA256
cd665cc3f74051e5d1934872814e48ca7fefbd53199e3d0015df3f4a4aff7920

SHA512
b880f657e190c88700adf576d1a3cc4528aea2b6adf9081eed6a6fe8c3f931257155846035722aa92943292a37c65514e373d2ce991ee948e26c8dcd7dcc4eeb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
a0d8535a6254b2aa3c5f5b5e02ebcc01

SHA1
cd3c567f5bc21a79d6f34cd63b4f9561ab522cbb

SHA256
120b2ea4a3dbdf8aca90376520851988def453f4bf5d794a7b5e433cbe180073

SHA512
cbea25f7e74e6a296905a84745d777844e9d2a772fd960a932eb4af772afbcbe173aaf17d40e0d7883a5cbc380421c286aab877a04984666eac88fa268358ab5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
0af7260c629232d06cac39e00b136d4e

SHA1
63dbe54636702b1ac3fd577528a687951372859f

SHA256
cfebc2e5655f3e9252afd3d6d93de114980b1d89c49cb652914db6e2c7d08191

SHA512
e918ee1b868d6db28ba51b4e2cc8edf3f7c5339adc35c9260c7f4adac5adfe2bfd795dea8d61ce43ab8bad36cdd9a9ed6736a4ad29ee7d37c557695708c5d449

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.9MB

MD5
02af1aac52becf38d2756e80e29512a0

SHA1
ced6cc97a7aba3c17b9e6556b61a9ba8ab390f4d

SHA256
0c4eb36de9399673f952d4015f9dbb4c333d8aa3c2a32a22cd03e7f1518e032c

SHA512
417f7bca2e8127def86f9e320e95422d1ac5774bdce6390bc847154e18abf39ad17d3f0bc686f8b6da9a253afe40cf2ef9584943764bb43aeab15a6ea8191a50

Download Submit