3055b3aa55f7987d8a6971a5ca2894ef0b5d0123f6993628f2240758711904e9

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 05:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe
Size

3.6MB
MD5

44c5a687f09c7cf905c1201b6cbb89b0
SHA1

cb9a49520fd02dcef1b22bccf49199304af3bd99
SHA256

3055b3aa55f7987d8a6971a5ca2894ef0b5d0123f6993628f2240758711904e9
SHA512

2e8e9e19f4e23a6314a95232ef91bc7a050e57bc6888563d4119c9c3d5b19c5e70a0026e1aa81da0089fa6c97a8e2e3da216427d3b312d931f1176949839a2c9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4248	sysdevopti.exe
4132	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOF\\xbodsys.exe"	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLN\\dobdevloc.exe"	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe
4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe
4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe
4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe
4248	sysdevopti.exe
4248	sysdevopti.exe
4132	xbodsys.exe
4132	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 4248	4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe	96
PID 4572 wrote to memory of 4248	4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe	96
PID 4572 wrote to memory of 4248	4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe	96
PID 4572 wrote to memory of 4132	4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe	100
PID 4572 wrote to memory of 4132	4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe	100
PID 4572 wrote to memory of 4132	4572	44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe	100

C:\Users\Admin\AppData\Local\Temp\44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44c5a687f09c7cf905c1201b6cbb89b0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4248
- C:\FilesOF\xbodsys.exe
  C:\FilesOF\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1308,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:8
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesOF\xbodsys.exe

Filesize
3.6MB

MD5
3208e663b8a75a941894a0c93d93e1b0

SHA1
e75699085214e5f01e1da82130b73b8b69b37685

SHA256
04ff509fc495ef932a5e55ddcf0cfbd2509c74a8a373d5c0dd44565a213bea89

SHA512
7397e7eb4af3690928d0a7a590ab4a8ffe0b21d98d27a2ed51815cf7486cc27d915e214b753c3d66cf34be8125fb92ef638753177bea0e7a89f5774b90c06d4c

Download Submit
C:\MintLN\dobdevloc.exe

Filesize
3.6MB

MD5
036cae94d79a4b3c99839bcd01b25a3a

SHA1
fcf57705e6058d5f787e11a17a58c2cc88393741

SHA256
cf1a13d6c31e6c5a132d10fd52fcf2e19956108876b5a1df721fa9b20a631109

SHA512
df8a87639092d4d5370bdb1bb2e54c2bc43ba4e3f4ecc4494ff17ce879491045d7aedd00614f1344318729c4666f1300faa4be2546ef23a0aa93c08a5a064ad5

Download Submit
C:\MintLN\dobdevloc.exe

Filesize
3.6MB

MD5
a931d7dce94cd6115ece0f88e41d45a8

SHA1
ad7cbca7b78083e7a456fa004924873dfc831f18

SHA256
d4e02f453158def598dc7518934f38c19d7d08ab0f7bd3d3e63d051167e3ae34

SHA512
f3b2dce79bc7e4df26fb9bde236b9d9dfdda192c661eafea990a30767f7508bc3afaaf9ce8697d69422a3e4a1317e67ecd907a8a1d12f874d7eea7389ec6f720

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
c302a5af025743472570af197df97017

SHA1
86945238e324e61229b74b6cd2564836e2ba3568

SHA256
602d05819592267f0987d6804073324238a656e446927905308e9d9ec2c07d4e

SHA512
05bca1dcda393ecd50f74e82cffbffe39892272dd0732b3b4ad838947a84b2b672ce0dec00d81e588089584d976438581167407d3c9cc11caf5ff4587c75b3db

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
ad7d331776eac85a6d467d4f93b763a1

SHA1
8face1bb88792c91c7267ca4ff5399afab944ada

SHA256
49633c23c2eed9ecd9b3f488bac8c95755768490907adb31b5af50e53f10b93f

SHA512
b9134e024e057b690c00a8b5670eda525ee5b2bb724b569320cf4fb4a615e8ef7965d7edacfb33fcf0166b0a9cf1b562b64a06c7cffde703a1feb366b5a8b8a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.6MB

MD5
54ffbf088cb56768b319517116704202

SHA1
607eed4782242eb6efb278a1f5cbff6404719efc

SHA256
7037b83ba6b7277537c3caf9b626e60ed48e34ea1d2bbab58b0f988069c69749

SHA512
35a210002d79b2b3efef13bb10dd7989aebca9315219e00bc7cc2b6a75471245645334c841af97547aee2e55a3776ca9f70e586591e71a740e3bd3fb8faa72af

Download Submit