47c1082acba70d2ac8ff1982a6fd321f063965fd26c74f20e17bec4ee654a408

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 23:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe
Size

4.1MB
MD5

5adb85521a38b9e6b777dfcd021d0ec0
SHA1

fff63f4c49ec872adcb826573292ba969084b187
SHA256

47c1082acba70d2ac8ff1982a6fd321f063965fd26c74f20e17bec4ee654a408
SHA512

0c94c8507ca6203f9093cdba60f576d826043f816fb8739994513036ee32f95bda806dff5a6262873a1273aeb0cc82a5cb046b8f00ace33fa0cab1471f95f85c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpTbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4624	sysxdob.exe
1744	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc3R\\devoptisys.exe"	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintB6\\optidevloc.exe"	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe
400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe
400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe
400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe
4624	sysxdob.exe
4624	sysxdob.exe
1744	devoptisys.exe
1744	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4624	400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe	86
PID 400 wrote to memory of 4624	400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe	86
PID 400 wrote to memory of 4624	400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe	86
PID 400 wrote to memory of 1744	400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe	87
PID 400 wrote to memory of 1744	400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe	87
PID 400 wrote to memory of 1744	400	5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5adb85521a38b9e6b777dfcd021d0ec0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Intelproc3R\devoptisys.exe
  C:\Intelproc3R\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc3R\devoptisys.exe

Filesize
14KB

MD5
eea4aa3d13cff294fb9de101050d3b95

SHA1
8be9253d0215e54c585f56eadb2280278a3ef3fa

SHA256
4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5

SHA512
8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44

Download Submit
C:\Intelproc3R\devoptisys.exe

Filesize
4.1MB

MD5
44b84f721b2e44cb85bb95a18aeaaaf8

SHA1
ac76e619e29b177c02df9ca3b2bdf5424c601b53

SHA256
7bdf20c58bc3645984dda1fb4285420d7d4fefa44435e138b067da70f6269336

SHA512
c463a5472e5111c8110f6c6695dab998e43a20c2cfc38eb4bd4168f6593d0da7a891089e7ad982f310aa7f946d0df08d6e523901cc67c80cfb52f7de42c4f7b9

Download Submit
C:\MintB6\optidevloc.exe

Filesize
358KB

MD5
ef7f0486367d4c0cee6c449f2acf079e

SHA1
59a1938c618060d121b52b5966ec97cb32076d48

SHA256
79d887598ddfd38f76a2b4bf40a259724f24d5082cd1ac84741b24d43a5a97d4

SHA512
94b71a57ae9cd1e219a8a496c78d546038531d1208147d8277650c76611fa595aa5f5ee1c6ea15031feb62965b0033a09c904873595c1e7d130b933c3134af1d

Download Submit
C:\MintB6\optidevloc.exe

Filesize
1.2MB

MD5
ebc2a805ac3420eab88c425a5552f498

SHA1
b919540fd3e47d5ca6804e17bceea0354240b1b8

SHA256
673d6b23518d81cb21e11f8ddb15e86068e3aa3ad23a66b64e3189540c4a9298

SHA512
2e3da5f6158316a13d26b7984bcbe9d051663efb30bf2be7af987abe9cdf6b46e54e9cb397ab4cf2f9801394f1ae7e1bb7642ffc404323621076df174a74d812

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
210B

MD5
83fc7a7daaa11a50ee4670baa53174a3

SHA1
2861176bd8d80e90c5057c17c1cecdad28ba0fc2

SHA256
052cfade5e7f3b8b400473938f9b3fbb0b89dbe5a083d8dd7880f1670e89981c

SHA512
8a3250ba56d752ff20c68f9e322e55fca381497a65da4a10a80b9ab1c45e7da4ca1c54580d203a5efdb9b0cce571ef8245a0eb3b66f37d45b836485f38a3fe5c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
178B

MD5
deb663d9c10d1e7abe967e1b10604db7

SHA1
5d7060f90d7435b7cb4b12c9dc63c64b65a6ac83

SHA256
cccfae9373c0ab8ed50535e32b869da70cc8c005664d5ea59491a3470ab8d2bb

SHA512
eb2588fd35e778cd0739369c2653fc5158627f119636c887f5aed23425ff4da0032493a466a338e084bd1ecd390eb5e1c9620f22d57ff504b451769c1bd8e05e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
4.1MB

MD5
1211a2b4e663f874c7c2b9b92364615f

SHA1
b271460f64eed11bb97bb36a6ee2c3d6912f3170

SHA256
d093692e80fc9ce22551fb324a79ec46fe09dfc62909fd95e49e47fa2e510045

SHA512
8931103d5b2937157a56fd231f7f369491252bd3bdc3cffdd98a17a7b856d1d829a936fd625edc30350859ac8cc23d7a953ce4abd70d4bb5f69d38b02b0a0286

Download Submit