f1aa412967081cd47d2bc2ac0a73ce267d3b26f7a906057175cdd68797f34d16

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
Size

3.9MB
MD5

a6db96aef9150433481995726b09b8a0
SHA1

670f4bc6abfaf8b7b1588d8ca553a5d2f5018e5b
SHA256

f1aa412967081cd47d2bc2ac0a73ce267d3b26f7a906057175cdd68797f34d16
SHA512

58f6451eba42d242a876668b0939d564db44a57b21ee6f2dafae552f377f4a1daee4058e0959576db12d2fb4f451cc249ea649518482d49639d4322e74507be3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8:sxX7QnxrloE5dpUpbbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4992	sysxbod.exe
4676	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv0T\\devoptiloc.exe"	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAG\\dobaloc.exe"	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe
4992	sysxbod.exe
4992	sysxbod.exe
4676	devoptiloc.exe
4676	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4992	372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	89
PID 372 wrote to memory of 4992	372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	89
PID 372 wrote to memory of 4992	372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	89
PID 372 wrote to memory of 4676	372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	92
PID 372 wrote to memory of 4676	372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	92
PID 372 wrote to memory of 4676	372	a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\SysDrv0T\devoptiloc.exe
  C:\SysDrv0T\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintAG\dobaloc.exe

Filesize
3.9MB

MD5
c39b6170477bd3439182c8b2a3ea3638

SHA1
dd5c49307d0c5b8de31756ac0fa8ff6442dff287

SHA256
0b4c8229261289b2a6df94e8f21953f8ff59467116877884dd55e07a4f23523f

SHA512
8c2768f890c9be9d9e7b2deba52635aa61dab44b22187d44f7d8e361ce483a4f9683cd4e21d256d02f6e0bfc132b434f887af17f38117122b2f82ff26cb54d4d

Download Submit
C:\MintAG\dobaloc.exe

Filesize
3.9MB

MD5
eaa151f74b7c86e0d4d8b7ae075ff484

SHA1
bf8b518238eb7b8c8b8933973511c0e6435fc216

SHA256
c34f98a17d5de21fc2fb0934caa1218f909660430fb3de5b66a108357cd05cb3

SHA512
6ab9d7f0de3b7fe6c67abc77f9346ce525e0407b9d1d53759ecf55986eec2adc279aa1ae67afd1863adb04130f25d62623fd18a714932a9ffc9fce7b81c2c42d

Download Submit
C:\SysDrv0T\devoptiloc.exe

Filesize
3.9MB

MD5
e8553dfedfca2b0ed363ff1278673b12

SHA1
653346b02bca4f85734ed5d06284d609efc89f49

SHA256
1112c906cd3b70315367c49d5467998dbb884f52412a2a02af750df080c35bf5

SHA512
77d089f7a9ac697a02ba367466ceb5650294af90bc995c957e64f47eec9b3c3ca5f14390fc5d6d6165cb1d4c1291d672bd28264a316b9b0f422cbedfeb6c444e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
a768811fd664e516d45ff983f7f3b822

SHA1
e019fbd5c72e2029659d0db108021332c20aaed7

SHA256
5aa84ac9095a5560769d14a124888db1127b91c7ebff920f3c2a52454a42afb1

SHA512
2ea6614cd86617ecbbf63c02871023144ad1b57ed40e44089d1b6dc750a64e449b17db302ff67efed14b618baccb86a69dfac72f6e8eb68795dc9ca09f57fbed

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
23737c7f121deb98ea19c1148e6c7810

SHA1
e08919c5f488b5c8ec92fd305d1724765575761a

SHA256
5545ecfa5bc56c6ef7fe9e1753e6628e7372863b4b1784ebb2de04e6007f9779

SHA512
38c4d71e4bacb45d190624b1d1e3bdcd8895480f37def4ba13273551fc72af88db48c8ae36f5204c7666871a02d46074aa59287aab20791a3327f66723a509d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.9MB

MD5
307780f9e61e3a87a53d77da464dc051

SHA1
e498d757049a1b3ce3e76696277f422de02d55a2

SHA256
171043f8ff18fa435eaf2de2d2589b87e9fec95bb7677dbdc5c6e1a0b85ef178

SHA512
c9cc9f1cc8643a7a0723ac39b4765d07e1838ada237e2763c907c56ebb92fea23adb360695b887a3ecbb1151759a0459bf12cfde13d09356f09ec25c874f7c46

Download Submit