3aa288b56f4e5feb3cd6efff2ba6dd52089a0680346d2bc2876b979719f36754

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
Size

3.0MB
MD5

4c34d9f44a3a5cb6e258a51c4a1efa60
SHA1

5b9b00cdbcf3faa48e7d17475292e59070d6de28
SHA256

3aa288b56f4e5feb3cd6efff2ba6dd52089a0680346d2bc2876b979719f36754
SHA512

2c7424db0748526a570ee79aceaec4c7a97f8adc704c567a6d0a861358ea1c56db2b54880644721c9b74ec7276c50d8680f7aab9bb1d20ef66db8f6b8a941fad
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8b6LNX:sxX7QnxrloE5dpUpObVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1760	sysaopti.exe
2956	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFB\\devbodsys.exe"	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDZ\\dobxec.exe"	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe
1760	sysaopti.exe
2956	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 1760	808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	28
PID 808 wrote to memory of 1760	808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	28
PID 808 wrote to memory of 1760	808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	28
PID 808 wrote to memory of 1760	808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	28
PID 808 wrote to memory of 2956	808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	29
PID 808 wrote to memory of 2956	808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	29
PID 808 wrote to memory of 2956	808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	29
PID 808 wrote to memory of 2956	808	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\SysDrvFB\devbodsys.exe
  C:\SysDrvFB\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxDZ\dobxec.exe

Filesize
3.0MB

MD5
e37d293b15bb0f902a45436ccdf6efcc

SHA1
3fa08e38f858f2a2a7aa889c57a37f134f9d9dff

SHA256
16077cc006d3394732271f0ad66fc42d58052d6d3710edbfbf8b3da8ac0e96be

SHA512
7c2e5849098e9142f8afb3fccba75c26146c69423f7f7b8129977939cf6dd9c330aa85f1de8dac2fb2ebf8487e903a58c7c24fd799cd8177c4ef14b0c4703b39

Download Submit
C:\SysDrvFB\devbodsys.exe

Filesize
3.0MB

MD5
06a14ee8f4be1dcb1c54796df25c00d3

SHA1
616a26893edcaa23c8661cd052d4f65b9f24d448

SHA256
28ca97cfe4042f65d96ec8b76429262e9980b4d57ba72efc124c574af783ffd9

SHA512
b9b9735b8aa2809bfe4ee483e09ea487bfaa858f8c49962970370056f745bde8a427af795bb27426c80c29f951526d179b363a534cb027a4d34d38371c027855

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
e8c322a62995c557192e145dc21620fb

SHA1
6bfb1bd307b64fc4cd47dc28120eab307e43c637

SHA256
6ec5e3b3ceb30810c1bdf116391649a638753ae558e2d91da197004114b4dabb

SHA512
dfe59c0ac155fe6b427df8362ceda704673f85ad8e44417e34053650aa7f91b7ef2d9e7eeedd60ca022fbb2bac35131a8e8bd1566b9891efcf8ef8dc8a9ba2df

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
0980dea38fb1a8fa4fb8e8e9dd6b0daa

SHA1
aa360970ec2bcde566733638cf6e28ddc593b051

SHA256
6134ded86745ea41cdd0c9248b9171ad8f1595762b1c2abca76ab40ab0e59ced

SHA512
bd1c3d4187f5ecb16ed5d66fc60a6872d299a2fc5cbe70f68daae336a8ad2cf271c60f5fe9e678baee09903da1338129d0b33b669eea225ffd629e09dd82cfac

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.0MB

MD5
2f28d67d02ae0098e3025dd99abd6360

SHA1
4fcd8febcf7ff34600320fab936a517a8f222b65

SHA256
376ffb72d9eb0ebc37f01cf997c0ec10e3a300cb99f19e072224e74d143d0627

SHA512
b9c39727fed814c06547ba91c74c938c0ee537832477f67fda57e57c0c2b354950af7b1d71b0eb93d3f7e3234793d3352e56ebe83ed98498286e59893b548725

Download Submit