505a9e5c018d0eea8e3accee02d3a42aaa3dc2e1a6331676315fc77eebb65ca7

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
Size

3.0MB
MD5

094bd4e3883f7bf38f0d2463bd7d1900
SHA1

233f342e7a338812e8e4346e8e036d44380c3986
SHA256

505a9e5c018d0eea8e3accee02d3a42aaa3dc2e1a6331676315fc77eebb65ca7
SHA512

94792912738684be2bddd092ed2e15d8b42f8d173ef1b6d6c19fb512fef3217c77aae1a0b59c4d4fc0852990797982a0ce922ffff809f66a1b6294c054e5cbc3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8b6LNX:sxX7QnxrloE5dpUpHbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2536	sysdevopti.exe
2532	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocX2\\devdobec.exe"	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB29\\optialoc.exe"	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe
2536	sysdevopti.exe
2532	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2536	824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	28
PID 824 wrote to memory of 2536	824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	28
PID 824 wrote to memory of 2536	824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	28
PID 824 wrote to memory of 2536	824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	28
PID 824 wrote to memory of 2532	824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	29
PID 824 wrote to memory of 2532	824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	29
PID 824 wrote to memory of 2532	824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	29
PID 824 wrote to memory of 2532	824	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\IntelprocX2\devdobec.exe
  C:\IntelprocX2\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocX2\devdobec.exe

Filesize
3.0MB

MD5
e7c41f689b586f00dd0b4d479a9617fa

SHA1
84e0a27a972496b2c5dde2c99c5b89cbacf554e3

SHA256
b4209f94784c866ade657af27655ab10348b9b7c8fa46389ee7c58bc0f8cb13c

SHA512
b9287d13a1638f69a45e7953065cd1f6e08633f14fea66591b3e3e0191d52abdc6b91a784e0029ab396337266d381dfced8a6269203c54ed48bd3fbe4dc2553d

Download Submit
C:\KaVB29\optialoc.exe

Filesize
1.7MB

MD5
cdd97b53b5ff1c4c91ddadde33a72d19

SHA1
e874795b48a2225d7a2708576fd4d0606378c736

SHA256
438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

SHA512
e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

Download Submit
C:\KaVB29\optialoc.exe

Filesize
3.0MB

MD5
977a450144ce1d903a601e733f97c98b

SHA1
428eee2b9d831146672f7708245be3f80ddaf2e2

SHA256
7da75a186dadedf449f127a986e3c2588835b89bc42594526326ed3676f3435a

SHA512
38ac988d477efbd9d6ecc5aca63a6710fc2820948f2b5ef74390f8f84d4fb6653c9b7245f7098e1954c6c7cf15e9eb1525727d3a5e7a407c2f3a470717d7a00e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
177B

MD5
5438a53eaa6aad621bf3bf0122efb2e6

SHA1
4fe35169c45ece5e3537e9189e1897a43b315c7e

SHA256
2d127b8bbbe10a9d9fac24167492ff005de035c9f812ea829f1ae4ceeb9a4d43

SHA512
98a94b3b5d7df7b3311c0fbec7c905cf3cbccae4e671b2f11f03dce33716bc0cf60c252832f9ec602d399083b2040195c4a27813742b8a3498fb03baabf01686

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
e64b82aa8bc70124f84535414bf25be1

SHA1
52e730ec29894de1bc481bd26ba1bd7b29c68b47

SHA256
03b0b8103c540beff28018f0e51467051438e50c67a781768e454925fc6b6709

SHA512
26281a35d6f2d722ff6bc7fc9bbfcb8e7005bb27e656f89ed0fef87223e91783e06e1f3852e2ff3429e38d57eaae52ce0f65fa4efc8183d83533ec8ee2f7fd0c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.0MB

MD5
087f281b050475d090e45bad4edae6d7

SHA1
550938d7b96b6447c58f676d91b097a0592249ce

SHA256
620044659d7cda8a714381337da9346ca825fd1d2e0f7167e828f21ad2aa8f25

SHA512
0083e90ed0022f9476ad7d2de8530195052eb22e96fade5b3e71e8121590429e8d11b9d0e11886ae5dc995fced6189658f20d3d7c023e6e1fa061effc2f76852

Download Submit