330a12b48d60e6e7e43cbf588dd0e35155eab9b1277ea07588e224bd81fde413

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 07:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
Size

3.1MB
MD5

24ca8c0247bb93b6f17a951bbe2f1eb0
SHA1

fbcda89e0df0ddf5ccae70cd622a64288e88899e
SHA256

330a12b48d60e6e7e43cbf588dd0e35155eab9b1277ea07588e224bd81fde413
SHA512

561d60437083bd57d53c4caaab8c9b67c827e936faf1669c39b04526ddbbf8b6e392f2d038ef29ca9a877e626668cc70205938e00fae557c0acff7ba299e7080
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUptbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4788	sysdevdob.exe
32	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocU6\\xoptiec.exe"	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJ4\\optixsys.exe"	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe
4788	sysdevdob.exe
4788	sysdevdob.exe
32	xoptiec.exe
32	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 4788	2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	91
PID 2272 wrote to memory of 4788	2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	91
PID 2272 wrote to memory of 4788	2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	91
PID 2272 wrote to memory of 32	2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	93
PID 2272 wrote to memory of 32	2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	93
PID 2272 wrote to memory of 32	2272	24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\24ca8c0247bb93b6f17a951bbe2f1eb0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\IntelprocU6\xoptiec.exe
  C:\IntelprocU6\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxJ4\optixsys.exe

Filesize
1.6MB

MD5
1854327cf252f46fdc99ccfa7be067e5

SHA1
73b9144579a18faa23aca77be1b82b9bae18611d

SHA256
1ec8f85fcad715be49a234b80ff5f7a60db8aaf59da6d0cbade256f938b27e93

SHA512
f4df823a2d456d980ddcc7a0789455aea639d94f3e79af5134f8b7c5b1c8952a41e969465e45a2ececb229c2833f028e13cbc44c50f3066592a4f0a0cabfb049

Download Submit
C:\GalaxJ4\optixsys.exe

Filesize
3.1MB

MD5
582a86f167f8e2ae44da54a398765b80

SHA1
967cb46dbd6eb5edd491a7c60027f46b0fd39dea

SHA256
3430752e665b8b8868f3a0018a0506da79bc437c2a805befc0a12d273c8e889a

SHA512
1c6625c125abddae90143bff55b882dee4e97ed086a292e4b20448cbfd10cd3730a7e7a7ab170298af329396a42ad4379585ab6e3fe829364e94df39edfc755a

Download Submit
C:\IntelprocU6\xoptiec.exe

Filesize
3.1MB

MD5
236d2888b6c03bcea7c98f5c30b4c0a4

SHA1
e564df7085943da0afede16e86f842716b3832a6

SHA256
2b2d9a4c1b40ee135d26db643aa08e744412438f6b09fa65e16c8d713a7d8107

SHA512
819d5a9c936effd9378e5c1c91443068b890220a3d252ee5446d21cb928aacb43c15b13e1a8cc08425a2499754c655f3d5f4d7e4b1fa6d18ead940201592360f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
5998aab0d534d5831bd05f7aa6090018

SHA1
0645481e1c57e3420b4e397630883253e60b07aa

SHA256
fe7093c3fb0c9d21d810fcbd3d4b9956d180d222ea9f1a7eb31fd417c0ae55e5

SHA512
43e79b9d9f18c7e329dc044de4a1337aaefb596df30914519da1883c508ad9e9018b30225dd2d3e0167bea985a4a7c58a614dbe771861867e51f939f92b66edd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
c7a56bbb12e4890923b4397c34384bb2

SHA1
f4acb89f2edea4d450edf7ee21f8ebbd4d0475b5

SHA256
402dce6ecc844c880508027b7d7399fbbcc87532186f9c11db668238a442fbdc

SHA512
34bbed8c937913ab1e7678ba6148fccfc90f632daa323b5c6e8b64862da169de3a93c8f386e87282e8fa630e452409e7c056e0045a8b5e09c6f1ee4c0429afc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.1MB

MD5
d0b3bdca94165bf9d0443d0055092186

SHA1
046d39dd89dd4a0650de29d4c1aad1a89ff124de

SHA256
18227b99c183a50ad3839fc74479fe428168ed70d1d43fa19d9a40c096fd41c5

SHA512
2513c8fe370af82ef7d3cc5abecacab533692b0112ac09ce567c4582932c87a14b89a2c0efcbd8b64f8413b50c20b764bca23a16099363308414ba9ef2fd3cf4

Download Submit