3dee4768ce91e4cdeff6660fc5b1e68df8190c247f3977c481fef80a9ac8913a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe
Size

3.9MB
MD5

27681de3f5ba6d4c8d84a7161b75ec60
SHA1

ef240ae6b5edff0a797d934a96c7d499645d3fce
SHA256

3dee4768ce91e4cdeff6660fc5b1e68df8190c247f3977c481fef80a9ac8913a
SHA512

467cf6fec4d156331464ee4a246fffaec1e436568455535d62e9fffe7854c0d128622e2a4d12c133810711a9df7f7e832661ffd4906756666e1084af51a80157
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8:sxX7QnxrloE5dpUplbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1516	sysdevbod.exe
2724	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvAI\\xbodsys.exe"	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintS0\\optidevec.exe"	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe
3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe
3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe
3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe
1516	sysdevbod.exe
1516	sysdevbod.exe
2724	xbodsys.exe
2724	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 1516	3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe	90
PID 3224 wrote to memory of 1516	3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe	90
PID 3224 wrote to memory of 1516	3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe	90
PID 3224 wrote to memory of 2724	3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe	92
PID 3224 wrote to memory of 2724	3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe	92
PID 3224 wrote to memory of 2724	3224	27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\27681de3f5ba6d4c8d84a7161b75ec60_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\SysDrvAI\xbodsys.exe
  C:\SysDrvAI\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintS0\optidevec.exe

Filesize
3.9MB

MD5
444f475416b14674106eec610f3daa30

SHA1
6c1f2ab0b979ab0673dacc25472638ec6fa2d328

SHA256
01d94661b04e31caaa6ffbb82070bd061eca6043842acf49194473385e53f848

SHA512
773f75fb72d0051ff8bbfd2d5a5eac5ac890cd32b711564809578905537000f88e05dbcf2dfd32f5ed2666c7aac217ddf9c185bed82cd123c64854d58b874294

Download Submit
C:\MintS0\optidevec.exe

Filesize
3.9MB

MD5
7ecb019dcb8a42792a7b50eef7f7aa2c

SHA1
0e515e57b2b0d2be61647f8316d67049de46b118

SHA256
726bb8a00d6d9e648249c1e33395441dff21389bfa69b6a99771186cc4533f7e

SHA512
20b77131a3cfbf06cc13ce8a46029f558bebb960f15ccdd2e086a4e70c38ab6e2ea97ddc4654b8a3c83d2f6340d6ea64294a6a4520277cad4177ed199a2fbf38

Download Submit
C:\SysDrvAI\xbodsys.exe

Filesize
302KB

MD5
3790914b34e09a3a529c41a64fabf0fe

SHA1
0ebb9eaf04c12a70a49ec7cf7fd72f0eec33eb95

SHA256
cf466f74f7ca5d0f63b49eb252378d0febfa9347f5473b88b1b8636b786e11ab

SHA512
b90b5497fb6f2bc6adce686534b316d072caa2bb0803d1f501f7d1dc6e8e309d394d844847e84da06d2532a1e37cba68bcf018e5a72e57a756002c35fd52dbcc

Download Submit
C:\SysDrvAI\xbodsys.exe

Filesize
3.9MB

MD5
2c955a858dc6e5941e6bff70946d105f

SHA1
b6b5de5ae9db458bfa7fc5ddeb89525d602c0fc5

SHA256
ebc12fe464a9881ca996728d49e5b4b208b09410f111a6485b62794958142f64

SHA512
eaea0dc8d3c12345c62ce064be0261311c67ee0ccb60869436b0e9bd222c431c277feae2bf8f42258f9ba7adaaad233ac1f413f7079d3108fe60208e0410c0e9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
03c39c5ea439576c93ae5064bbfc2ffc

SHA1
56579c15f809d5aafb0231a4571ea81f729a636a

SHA256
890d57dca15adfbfcf7284c8bb313ffd01244ef3d335a0faded5b319ce97af92

SHA512
b341ff6aedbce5ca22ba68ee9ee2eda348326ed1577ba52d473dc39c6f9177fe0995c9f745b8a3afc4827dd2bce14862a44ec86da48b6a0e7485928a62209e56

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
17e0cb00f46e3307b64bdd617dedec89

SHA1
96ae859700eeef0e64920960b451aeed29c204b6

SHA256
dd0a9128ffd851bded8e8b723b4f6616164cbd282a6de599751d069083be6184

SHA512
af182d86aaa7cdc0a49837bfef23a260c19bfe8903179f2d75d4b9233697a07045fb72fb6a483c6a6292cd8b03b53d0c4b0e44dc555af57314e155e19c7996dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.9MB

MD5
79a1ad9b40c15fd4f6241ec27b836d57

SHA1
d4ccb94d91f2a88464cafea1dc2b28cfc0548d96

SHA256
726ebacfa03a176db8cb6fd6f31d70cd3ccb210a85bea93be51141eb5c6dfbce

SHA512
d9cd84d594a6bf590047561551dee1b615adc273ba0dbe2744b914125c19920726ce1781449513a7ee90d6126c27a2193aa1f48312f42f41cce012eee7767010

Download Submit