fe468a576b4b53c107da184591a59a0efd1ce79f4f5d750335263372bb04932c

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 04:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe
Size

3.9MB
MD5

1ef3d231a14ef68200649a37ec6d55f0
SHA1

82a4c35fbf60e1bb7f99c36cd843bec8419658e2
SHA256

fe468a576b4b53c107da184591a59a0efd1ce79f4f5d750335263372bb04932c
SHA512

ab97fe8c0fd869182eb3f57ff92c532ea8797ecbf86ef08c0fe061e29ab098978f6d9b2dbc32efa5f3ea4752ddde658286eb4b6fea31193591585bcb2ac496ae
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUpKbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3904	sysabod.exe
4532	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLB\\xoptiloc.exe"	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPK\\dobdevec.exe"	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe
4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe
4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe
4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe
3904	sysabod.exe
3904	sysabod.exe
4532	xoptiloc.exe
4532	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 3904	4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe	85
PID 4036 wrote to memory of 3904	4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe	85
PID 4036 wrote to memory of 3904	4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe	85
PID 4036 wrote to memory of 4532	4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe	88
PID 4036 wrote to memory of 4532	4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe	88
PID 4036 wrote to memory of 4532	4036	1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ef3d231a14ef68200649a37ec6d55f0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\UserDotLB\xoptiloc.exe
  C:\UserDotLB\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBPK\dobdevec.exe

Filesize
3.9MB

MD5
779f8c84d1a96be21fd7c79a14f08dad

SHA1
a43c6a917a92ef247cde2793bb2c2bc701521ec9

SHA256
c67eba8a9331a447be2f520fb48cd6ee918846088b5e722dc2ad5160c1d3f107

SHA512
4f35797bc096223a84b3b4c87290ade869375172269711ff36f2b32c68cffd09971e389176a832f61b63b3d269722a281db5421f45f687f9052f6998023e13da

Download Submit
C:\KaVBPK\dobdevec.exe

Filesize
23KB

MD5
3802e70e50917db6adbff13a6824dce7

SHA1
1ec74804dcbb5eac9158cc01b922116000bd27f6

SHA256
b81d5b38681149b114bf47a1e7fa43ddd85131b90d90958a3b1ff715a6be3573

SHA512
2ae50667aa5c3bf216c71d67c60ef19a77841a00f44d71976aa8f97b9a6fd7f512a1183679559970fb5175722a27db103b3b44cbae08e134908cdae961b88b2b

Download Submit
C:\UserDotLB\xoptiloc.exe

Filesize
3.9MB

MD5
895da12587586a1415f496009663406a

SHA1
4422d8fa16ca77e47bd0832c2baec90245b47961

SHA256
5584ee29293b223f41efd3d56e0f7cc6f44b39c1b5b743c2c0f688ee1b97a46a

SHA512
4a3f802c99ae796897a37693a025814456b03aca2b33c346fa72679837a55938bbcd58a90b6d8552ba04d55740d99481bf18c39d076caf384aff32dcb5351361

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
eb984e0eaf299f9f8005fe026debed84

SHA1
2277927b165b7115da27f9efb9747f38f8bb5bb6

SHA256
8ce94c09d0a8270f774b52c3029a5db2a36191817a211d667c4cfc750c8d850a

SHA512
db182a4982fda7d57eaf6d5eeec1b0b0d3b9d349dc9cce4f0a56cf42b575ed79d3f9714cfc87ab05265bea1aea3dedafa4024b0bc5ed0ebf47395c8f71fc21a3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
fe87fbded513a8ee96cebe5aefd7ba74

SHA1
f2e7c42bbf51f6b3f72b06fc4cba9f6b41e15f8f

SHA256
39185937fb91e56a03f13a67920febb102abfb7af3ad7d82241c5a2134e6fc44

SHA512
1d89ae1471438acde1796263ae0907a284249b486114e57f26f12df394ef4c2826e7f3e54d064137e7a9a87d7873467d7e2512a6a7530ac3e94fd89fc4f7842e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.9MB

MD5
855899916760d31997dffb9d1b7aabbb

SHA1
33f5da6a9531cbf4807712d2585f9e33c40df454

SHA256
13e324538cfb3c3da04681350af4e54ba7c3b41c817dd9903965e8b5163068d7

SHA512
561d40dd2b44482571a714750527f57ad2bde339a22c60a1ba60536891f2278d11a7bcb1cf6c8aeec69a2b1e5b6b735505a1c682dc633c585ac25a602adc0563

Download Submit