2e28e8a244430d0dc9fc788a405bf044a4a6fd8ebefcf6ba9c78bd15e1001fcf

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
Size

3.6MB
MD5

231feec23bee69ca907eee006c410a10
SHA1

d31baf06e944e455ffb311e8200721621ec11dad
SHA256

2e28e8a244430d0dc9fc788a405bf044a4a6fd8ebefcf6ba9c78bd15e1001fcf
SHA512

9b182b1fbe428a6806418071b913d83469ef3f978eef19f1f765a30e04bfa88312e5a17ba703d932e4bc19bc65ce053778e3917549b68ff4d625cfef54d9abf1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8:sxX7QnxrloE5dpUp1bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1980	sysaopti.exe
2600	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot9Q\\xbodec.exe"	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJ2\\optidevsys.exe"	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe
1980	sysaopti.exe
2600	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1980	1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 1980	1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 1980	1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 1980	1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2600	1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	29
PID 1736 wrote to memory of 2600	1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	29
PID 1736 wrote to memory of 2600	1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	29
PID 1736 wrote to memory of 2600	1736	231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\231feec23bee69ca907eee006c410a10_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\UserDot9Q\xbodec.exe
  C:\UserDot9Q\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBJ2\optidevsys.exe

Filesize
3.6MB

MD5
cac4c02fdda15f02abeb22756618d852

SHA1
b3cf7429b124bfe5215c7c0c1b648d13c87d26c4

SHA256
9faceb5fd5df2e500de2266de5984a09eb5a562fc941d700bde0d8b3080adecd

SHA512
75a8bb699e8294ec7a0f039675378aa947c91d4ddee14213596a2e7177448903148b9465068349a67c6b916b41947a677e420f2ca9880418a72eb97d8501c865

Download Submit
C:\KaVBJ2\optidevsys.exe

Filesize
3.6MB

MD5
19bc9b7dd16456deaafb79797213c2f0

SHA1
fc4f17050226cbefd235888b55b49c54232fc117

SHA256
c0acacd42cb7bb5252e04d453d0ab38c6e566e79d2ad164485045924ddb591e7

SHA512
3d539cac0aa403ddec3f1c404a7c2f83e5de6e2e9a318ceecf2d842b314ff942cf0cad2b656337ea9795730584e7493d4dd4f115eb7c9ddcd39e592a9cfa6aed

Download Submit
C:\UserDot9Q\xbodec.exe

Filesize
3.6MB

MD5
bb1f522eee3d39206178a6668a11b716

SHA1
43c87b1477c7758ad35549c479a3d1478ea5c0a0

SHA256
2d86dae4dd9886cba33ca46b823c7034797ad7dc46ad852327da32b160b4934f

SHA512
c86b65868aaf49b9fbc1e76f55ba8021fc00a18d5c778d104ac4f53bd608f65227f942050c58b82b4ba1204c990d17cf0b6603da231e3e12ee4253d1210b65de

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
636800a6f7c9296411a598262bbb9555

SHA1
d9a0e59a4d31fbd01110f8d471dc42c67706918e

SHA256
6f12cf2f8d9a98d15c5dfa722558cc035719c0563136da8d8cffb3da63731408

SHA512
0a0fc88e9a297af0d805b2b25698d92a530889a0078b436ca04ac19375568f303ada963a3aa25d242e9c1b087c4a398fa8f2cd0ebbb3dafb593023263b1ed2c2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
d436b3f66ca4b6708262d91f12413565

SHA1
b970cfde487733d38bea15363e56354144badc1c

SHA256
ec2a0b01b5a4cd2c6dd58f1b56ef4d6a5424a0b4c091042117d7a2ca9d7a5c90

SHA512
ff1045345862981ce02a1af74c7ab3a638280315c1958f525bc09ad64a3ac2631f7921b1738faedd235dea88ca76f4bddc9938f60133ef3b764c3135f989431d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.6MB

MD5
d08f47c2f32ccaf066a827ef831b5a30

SHA1
e1a0cd2e67134d2d447800772f2a23ed24479f9b

SHA256
3651a36ef9e6a6a34b7614410d4b774fbd09a35c231b4c5555e7887fc76546f0

SHA512
8af29518b40baaaff10cf194521c41a44cf2a31a530c760486b35d73e95f30631c9f0cda27464f1f568928490f82e1e5e1645993d3b349bf282931ddabbcaba5

Download Submit