14be9451a477c33cdeac106d735da86feaf904c617ce40842a30091d49418d9b

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
Size

4.0MB
MD5

669d762d3763a6e011f740fa139e70a0
SHA1

55895bcca197f71dae446ed70ef14fafe1e55e4f
SHA256

14be9451a477c33cdeac106d735da86feaf904c617ce40842a30091d49418d9b
SHA512

333f283f61c3737969a49d98242888b96cfbcddca9d812fa25a38d51e8fba288ae3292e03036c8cb40ed5f42d3c2421cb9896ed98f8fb46a331f537dd61cebf2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2356	sysaopti.exe
2596	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVT\\devbodec.exe"	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQG\\dobxec.exe"	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe
2356	sysaopti.exe
2596	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2356	2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2356	2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2356	2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2356	2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2596	2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	29
PID 2128 wrote to memory of 2596	2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	29
PID 2128 wrote to memory of 2596	2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	29
PID 2128 wrote to memory of 2596	2128	669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\669d762d3763a6e011f740fa139e70a0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\FilesVT\devbodec.exe
  C:\FilesVT\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesVT\devbodec.exe

Filesize
4.0MB

MD5
93db7e6a4be418b414e9f1311076cd50

SHA1
91c5954f877fd20a2561e505e683be8229ddd6ed

SHA256
20efa7f9892248e5c720b912967eeab250bcdbbaf4a9e6cfeb849dfd4ac5b4fc

SHA512
aad21cf02953f9c85c171c25ff7940308c80e421888d94b0453707ec7f3e2e589b7030afb8ddc8926236f98ebd1af866ed52e7a6aa631e662d628cac5bf44852

Download Submit
C:\KaVBQG\dobxec.exe

Filesize
4.0MB

MD5
2f1c67209e0792a3f3572bded5c9e6a2

SHA1
3ae461d439c59414fc3f8e6e2f3ad79a3602a3d2

SHA256
e37d69cd4ea54ee0b8d1f6cd6471dc74789461afb68afbacea5b7ddd1cec04de

SHA512
c6ba5293cb627dc67abac1a036607cd2f751f107775644383311351c923bcc15f58f32563447a1c4ffa13cd9ecddbaccb1b236c038c4dda300359d4c38bf3ed2

Download Submit
C:\KaVBQG\dobxec.exe

Filesize
4.0MB

MD5
87391ba7b3de1521bcd850d0190b4751

SHA1
9a761c6372454dceebebb411a63b7e8b9b175223

SHA256
6ab5be97242364dc2045530613d3ad53b1d41c6e1f2c26668e91d5b018b3e268

SHA512
84438854b09c1951ef0b6cfd0d32ace0be713aa3e39aebe14ebee72e62edc3f90034fb160307e77dcbd54d95e637f85014f4d369d99412f86bc88864a9ee92d7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
dfa1f38334b89f05248a60ce09d946d7

SHA1
09916a35a480d9e87c4ffd2724ce04d8f1c29597

SHA256
dcda7f65756fff6352f26beecf59b6fb4359e43ffdb210c46ae979fe704d9648

SHA512
183b9480b5d80c070494c1c0fa5a407279d89c84fa0f2731a0faace81942042f1351ccbe0b26d62993bf485b6f05717b17412e779b1fb8572b3b5e9ae6d40f98

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
e49c70bc76e41d6c0f819fdc06426fa6

SHA1
020f281ce23945b83a96212d433de8d565c9929a

SHA256
8a19b3e546241fe2cc9794f56b14922ae13f07fed096c28c19e4a58b23f99aae

SHA512
edf2055332e3c265d49034819813027ffca725c67e587bcb91db3bfb287928a20ec31caa64bf267ec553a8a16f86fd44bc6cb609ffe99d4c8c2a16618e05bb57

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
4.0MB

MD5
958a30d18f58fd3b3e120df58410d581

SHA1
f15790eccb9cccc97693c7e8f2da06903ece9d2f

SHA256
0074b69c57360f592e0a647027f5efba808d2554966b669c2a59087261711df3

SHA512
cf7de53eb44b2c64c0db55a9b2f68566a41582997e8a01ec4603e85d325672e6c66902e4d60daee3c486bfe6f19ef28ccb1143c871deb740720c3d0e1648b9a7

Download Submit