8ad57c37b0619a71fc3306f7ff00c7c528180737df8b30ad9b8edd7cb37730de

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
Size

3.6MB
MD5

30ff215da9c612bb7634dc055780c960
SHA1

a60f20058314531bab7102f6b826eb65e62f2a03
SHA256

8ad57c37b0619a71fc3306f7ff00c7c528180737df8b30ad9b8edd7cb37730de
SHA512

7d1429ceaa6e4b5c2686ec581020c5b9d128a379001fadd01446069fed256e4717f312fca63ea9cfb11b254a0cedb0a374cf31fc036b80b504fc4528c699bf7c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8:sxX7QnxrloE5dpUp7bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4460	sysdevopti.exe
3448	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUZ\\devbodloc.exe"	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEA\\dobdevloc.exe"	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
4460	sysdevopti.exe
3448	devbodloc.exe
4460	sysdevopti.exe
3448	devbodloc.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe
3448	devbodloc.exe
4460	sysdevopti.exe
3448	devbodloc.exe
4460	sysdevopti.exe
4460	sysdevopti.exe
3448	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4460	3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	91
PID 3484 wrote to memory of 4460	3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	91
PID 3484 wrote to memory of 4460	3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	91
PID 3484 wrote to memory of 3448	3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	92
PID 3484 wrote to memory of 3448	3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	92
PID 3484 wrote to memory of 3448	3484	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\FilesUZ\devbodloc.exe
  C:\FilesUZ\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesUZ\devbodloc.exe

Filesize
3.6MB

MD5
1997fa764e78d131794d2d938236e3db

SHA1
b1f09438184d9bf37b0318eddb353746250b6e0b

SHA256
38fda966e09b3e4f02f49df44222ca9df51c3024778069566e06206d81617a2f

SHA512
20d069bf9f5088709d10b62977c47a0f7e3c5709387e5f1ad69679729d215df884ed5c6d2b895a278b6cd9becbc88a8d5e3e7038b46c64039e15d1e0952b7f74

Download Submit
C:\GalaxEA\dobdevloc.exe

Filesize
3.6MB

MD5
5e47398e622c6a558c434d56cb13fb00

SHA1
5ec5613e8e0469bee52b900e094c7079bff88e41

SHA256
122c105a33694a44bbaed6e74cb95cdd06ca3e8080a88d25b3432fcf3ee3b16f

SHA512
6d36ccbbf367a9dbe51a86ccd2e0832ca26d6eea3418325fc488f9bd1a32ad402703a938868a6bb54d756b0ce3c961f1358b10ef54d82a8558a4827fee3ab665

Download Submit
C:\GalaxEA\dobdevloc.exe

Filesize
3.6MB

MD5
df939e0e7c38cb865fefa2b444c029e1

SHA1
d9a0d3330ade8f73c99d1e932fed5a3bb7652b35

SHA256
520261f1c556a7dc6742c249322ba6fdc8f1867ec3d76f554f046b4974a3d0d6

SHA512
14735c5561f1cff5944c32d6e2a1e7af63af85f058e9760e69c87dcad36fa26da9f8a1cec60a0723248b222ef3122711fcb53694ee9dbdcda8cd0ef06d6d6809

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
1f7fa3d869942aa984ebd67d0d2302d5

SHA1
e5bbd859d3b691ec7c1a77ef581c8b9c6d68c1d7

SHA256
e079fa424343655852d1710fd98528d0ce377558f62ca57bf210a626cc5a27b8

SHA512
74e1f4e6c017b4a4facc1758585d266214de625189c38f7351fc1efd379fd6aafee78f30b1009959e5e0618cf3f9e0bae850440b513575afb4a34e3dca485446

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
9fe5bc67fcbd93aa6a1fd9f04a633112

SHA1
a9f161f0047ae3cf1c00bbe03fa828d3394db50e

SHA256
af4eaf44e8785e19fee1077cbcad2635600584a9298e268a3598ba9336d7528a

SHA512
45a6efb4980b99cbb6b706c68ff28975b4bbeef01967ed8bc58a7b543db42674688775916b2ec2d5a21c38ccabdf91c243bbbb55ee50082ad9ab88a8d54a57f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.6MB

MD5
5e62e1f0092a46940c8ce27a9e958f8a

SHA1
9444b73ace9934b927d6ab8018ab1da67384a663

SHA256
2b212555fc49a31fbe2f1d95b4f83979b3c15c0f9b68cf170d4b82ad90562018

SHA512
2b4c29e5fb4323d839617e9975ad406a9bca0c1ba8a93842397edad3ebe7f684fe709c52bd407d89aed75fe2b0cf45adcb2cf7d37ef3cd824f78b3c505088326

Download Submit