e39512682c0be56ce868cd235dcff9cc304b28bfabdf2233f696e605dacb7103

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
Size

3.0MB
MD5

12e16a008a5813732935972704d9a290
SHA1

3fde23c769943deb96ba0150f7d1d555c69384d8
SHA256

e39512682c0be56ce868cd235dcff9cc304b28bfabdf2233f696e605dacb7103
SHA512

1906770a2a1083c283d7d03930a550039e7834500a3d68157b1d6a237edee757ceb9eb09db0893aa33f45ae9e46edb430e72716451c2500006c9de6afeee11c7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX:sxX7QnxrloE5dpUpXbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	sysaopti.exe
1724	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIU\\devdobloc.exe"	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZW8\\optixec.exe"	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe
2776	sysaopti.exe
1724	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2776	1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2776	1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2776	1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2776	1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 1724	1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 1724	1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 1724	1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 1724	1620	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\12e16a008a5813732935972704d9a290_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\FilesIU\devdobloc.exe
  C:\FilesIU\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesIU\devdobloc.exe

Filesize
3.0MB

MD5
404774daf06ad35c0f788f1482394e38

SHA1
25de47c6574ff4306286b2c4171e263be1dec50d

SHA256
197c8596069c92d00faf30447af8af247a84d4525d2a6118dc8849387a0af4b0

SHA512
db2f92b6071f0e9c9faf3fad2d4ebcc8df3260b12c9f69b07372cb41849ab86337086d341482022fca06492afc7d62bac638e8c8e816e476cb8466ed2a730857

Download Submit
C:\LabZW8\optixec.exe

Filesize
3.0MB

MD5
9c82d0b12b3e8a4960e834a714c76feb

SHA1
79953fb38bfcbc2c98db3d0f72972eacae2a4736

SHA256
a34517cfa2fe93857cc18fb4eaf5ae799375ef6ad47b109bade5417ee4d65e06

SHA512
50a61ad0c2e686ee88b7baf72516527acbc6fbd406e09848c1a13af71b431bc95206ab52b710c2532424b2b29d22d62a864f931fe66eef5f27da318d93703edd

Download Submit
C:\LabZW8\optixec.exe

Filesize
3.0MB

MD5
e5ea77d5fed0d107b18d78c07424faff

SHA1
2b18bdf21708882ecd5b55fd20174e7a1ebb1bb1

SHA256
7c36a9bc956b72f5168c28634aec723d26d26224393d66e96ec793e319daa72d

SHA512
8881892858eb0b3fbc0eef211ae201167b92ad46d5b677456059328a20e55d408eb99479f26bf1accc85e05d3aebf250dbd003520981e0a27dc9b178acecaf96

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
15a29a081d3e153834bcee66db9c96bf

SHA1
232cdeba82502dc85220237ee75da7e524067f97

SHA256
7252ad08d34ed92c0cd75c111ae8577438309c0b310ac26e2b983e33fc875cb0

SHA512
1a65b1a577b498ac6934c07c6a99b1592a7b37a7cc1916e0589c5bc21b07ee603a08380fc180a240dacfed8d59ac7db379af05445ee673c6adc75e9bcc94d43e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
b056eb05800fb7142ebd60fa83c99e34

SHA1
babe7d626826f711083bdc95468d3370649ec442

SHA256
772a4946015a086952ae896e8d7cb76cf2b14b0f21a1ac119a35243add513f1d

SHA512
3efbfea9ad8fc63f2ffbd5d33d2a450194bcb1245eb58613e99f0c3b216d886c2c6c26468d81eb58a22b2db324dfe92c960e014ebbc129e362f93af819b2750b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.0MB

MD5
fb7d99c1f7215926936c8fc0c25082ae

SHA1
84c966e9a53aacdecff17d6382e6844b23bfe44d

SHA256
e89b238bda760b12ec0ff1c87597fcdfa4cd669c55b947c2a067d45e1a287139

SHA512
c2acac518ed0b211e3adee06f53aaa9fefe1c7f1f6325eb3dec0c012805126883962a056d0a85c0f01a29517698e76ce25277179be608d50e108f57e483695d2

Download Submit