9b52ad045f26e0bfcd66bb8cb82669bac7431c822283568e9dd26589f6fcb29e

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

323d1dd970d230486958088e30715e20_NeikiAnalytics.exe
Size

3.6MB
MD5

323d1dd970d230486958088e30715e20
SHA1

97366eaf938fe3d849d549d22a1e6ecbf212105c
SHA256

9b52ad045f26e0bfcd66bb8cb82669bac7431c822283568e9dd26589f6fcb29e
SHA512

547fae0f7c5c725140331d6c88436e1162fea75d99429cd603cc10032c25686be4275f00b3ae341cc71eb6178e4a103afadda1246f6eb1c46bfe035beb22e150
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8:sxX7QnxrloE5dpUppbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4700	locadob.exe
4108	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvK4\\devoptiloc.exe"	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBP\\dobaloc.exe"	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe
4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe
4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe
4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe
4700	locadob.exe
4700	locadob.exe
4108	devoptiloc.exe
4108	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 4700	4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe	90
PID 4268 wrote to memory of 4700	4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe	90
PID 4268 wrote to memory of 4700	4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe	90
PID 4268 wrote to memory of 4108	4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe	91
PID 4268 wrote to memory of 4108	4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe	91
PID 4268 wrote to memory of 4108	4268	323d1dd970d230486958088e30715e20_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\323d1dd970d230486958088e30715e20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\323d1dd970d230486958088e30715e20_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4700
- C:\SysDrvK4\devoptiloc.exe
  C:\SysDrvK4\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvK4\devoptiloc.exe

Filesize
2.3MB

MD5
acc7458edfc6bea050c172a6becea87c

SHA1
22c51e97fc46166f35577ebf2b4a166b6c00b2d5

SHA256
1e0314e2fcf4ba3c2aad5e3cbe240e9adf5915689e9827085a0ba75034619bba

SHA512
3f5731bf548e572735e3b8309e979009d29c774d3b437e71d9b1dc2b8086eea2af7244027ccbf070127c2724731f5b99a46917556887f8d3d04cb3ddce2334e7

Download Submit
C:\SysDrvK4\devoptiloc.exe

Filesize
3.6MB

MD5
ebc84261c70c260da4ea2fed641e96aa

SHA1
faba0396413bd86645e38089ada35bbee2dad458

SHA256
78a2eb8edec76ca7ba2a123ee95e372cd6c1d9716e15118ecf29eeda1f8ddf89

SHA512
9645ca77b0b57bb8b7242ec3cc5f431bcb8c07c4e4e9feed2cda88c92ecb5913580a5d6a5f49cf0751c6d8b2f323ec2f8720735b2b56247d27877932a097a0e0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
eb878f03806f9782cc37b739dcad9b1d

SHA1
69ec1463c220f3f93c59a0aa113fd485211f9f68

SHA256
c3d15bca6a68651cb7e4edb2a4e0ce0430f7ef80e5275516591db9546572875c

SHA512
96f8535a4ccf2f930060e0e12e49aef2bbe7875aa31ab63d7a22792cba9b2f22e85f0bc96302cc2c828daff35224dfd0d9e5f1782438e92b86b84477c1e19653

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
285206782d626a34313bff21e95ee507

SHA1
3048827633fa2190d29c9eae3ddb274e234be390

SHA256
5d874d5e241e27aedeccc97863d895b48f486b8f4dc4cce396355e2f2b3c29f1

SHA512
b14b2823533c344f960ba50304fc2dc6027e954c68f098f5e921406849728ea9f3e1aaa0c0d86681a4704881866c4b627c647062c8bc4c1535ecd399dd7fa125

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.6MB

MD5
881bc345918de1d462ca5d26d7971bce

SHA1
ce26a7f270ac9bd5b17944c7d177faf895396ce8

SHA256
63a8da96569b3135dfc01832de5eae9a0cf8d4ec0af7bee2b7c59f1cf6c30f64

SHA512
b4c4946ca554db9a31e3aa830c785a2d0fa6e63339d37c2039e3739b5f885a3198d8d7ad4b18f22d8a53db4ff8fdaf12b908c74a36a17d64ec11554b84ad61e2

Download Submit
C:\VidBP\dobaloc.exe

Filesize
240KB

MD5
2a0ebbc4d9547e0f34639bed113d53e0

SHA1
cc1d19461e9a49c81d33df8306055bba1ad34017

SHA256
b1398d65f9466e567e35349932ea7de1b3234f5081b215cb52cab1cb4a7ea83a

SHA512
b89750f24e15ca667b1e80e80ce5d1917301f8d0c3e37642d5ed9d54f3f9f9167ede5980fc2af95ff358bd23ff2575f38ffd4cf951f6efbee56ff9feb678e13a

Download Submit
C:\VidBP\dobaloc.exe

Filesize
18KB

MD5
7b3af07912640805489e8c5cf4d13cdd

SHA1
ebbf740092a005c3977c248e866e368bd740fabe

SHA256
796cd64f663a3cf7a7152674d09a6e15ce855b7bcc484e09032d93e380273de8

SHA512
f38bc3460dcba201e04314f8585733c0305f097921a1c45a98e6211fcaa629f95a25f4bb5248e9228ee4cfb91a86eb34bb42b10cb8f1733aa492b0f8ec1da96d

Download Submit