0be71902d15a12bb0f21ab325ab5f50c4b7935a6320a9c810064ab712142a872

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
Size

4.1MB
MD5

5aaaffdc4bc4802ab0bcec9a62d63930
SHA1

2176930b0802f756ab7193e3c509f9e302f026ca
SHA256

0be71902d15a12bb0f21ab325ab5f50c4b7935a6320a9c810064ab712142a872
SHA512

5e684a05e5bdd754254af407b54e2a7a14ab769fdb9bd526c8ead612e0a59830eb3bb411ad7f93a543e796ca0443e48242954e25917c0fc0abcbeaaec6b094bc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3500	sysxbod.exe
60	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMB\\bodxsys.exe"	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUO\\devoptisys.exe"	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe
3500	sysxbod.exe
3500	sysxbod.exe
60	devoptisys.exe
60	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 3500	652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	85
PID 652 wrote to memory of 3500	652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	85
PID 652 wrote to memory of 3500	652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	85
PID 652 wrote to memory of 60	652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	86
PID 652 wrote to memory of 60	652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	86
PID 652 wrote to memory of 60	652	5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5aaaffdc4bc4802ab0bcec9a62d63930_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\AdobeUO\devoptisys.exe
  C:\AdobeUO\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeUO\devoptisys.exe

Filesize
141KB

MD5
8df8fab62052244271cc23f5116cc49a

SHA1
589dbff6bb06c57c083bdc2098cdadf007ce2a49

SHA256
b5c99f6a8805e1f31526c51f5da9cdb9a92fcbf59b58b9767b83c458c654a31a

SHA512
cbb90d69b76d07981c2230820a78a611eb74280591223b8e75d63c53d3c3395e2b9b2066d83505bf3e28fb6d5a83261e1dc170e41dfc354cc6ef3f2bd826e779

Download Submit
C:\AdobeUO\devoptisys.exe

Filesize
4.1MB

MD5
4950d2726e167c121cb5f15e75b8c225

SHA1
ad706771fe65fa2874ed56093e919cbaf31b7570

SHA256
484530e9bc8cb79b219756d4cd589094b7e513c016db35d8f74fba7bc941ae64

SHA512
5c549e65b3f6638f49aa7ef69df9f77526a07aa10981ea2339bd3c5aa1b195dab6540fd591523e8b12997b26ab56dbe4d106bb2bcc850b9d48f30a000c4e7e51

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
2705be2414ec1b26ad2f2928652f363a

SHA1
e15bdc465089392d747406c9746bc77d920cb0c2

SHA256
97c3493bb74bd00eae2c332e5682efd5f558bb0b479103a06f3088561e39bea8

SHA512
fa36cb515af6f157a3267c3d3275984074c3d29527eaa24ea65e3fe7ec6eada16ffc9c5ccfe52ddcc9c733fb95cc6cef61916e383cbdca268225edd6855d6c3b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
0eb0d4eb440314c21edb99bcc8dc4a4a

SHA1
e49ab32be9e063cadca6cdf59edace64a4c0d5e9

SHA256
706bc180e5fd74c0b15d0152ecd276ffcf09d71bfe85dc3d13af0fc670d42fb5

SHA512
0dbbe598a2d96d41dfa5d07251fb276d5b3fd46f5d67a29cec1e094ae3cb576e8aebcea8c5d3386b76a75df75bd3afefe4166f7d9d87d57f8c2c257941032ae8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
4.1MB

MD5
aae6c15739fb3f68e25c57e1798c6f5e

SHA1
739c819cb4b94cef8d0ca406ff211a5669a09baf

SHA256
bd102c51e6fb4fff932695efb4f372487502abc2da8be650363b57d80c0cb845

SHA512
f5f0292a3f936690ff9775f2f27199ca7d41366a244e6528f0ce2cd4789c5636062b1afe1d3f7c783c1ee9a8fed48f77dba5d8a6c51014757874c61216754044

Download Submit
C:\VidMB\bodxsys.exe

Filesize
2.3MB

MD5
a55fddc432c5a6a62cd2401e30390d15

SHA1
efecbbb5e228790660711061a9e61020a59e4825

SHA256
84f366cf0bf3a14b0553c079cff751347de403bf145924f24fc0cdae119aac86

SHA512
e84eb4584359aa55ea4ee923b00149c0369f9f989576f6c5d40ba43b5b14e66e264f614f1adc59b7cf079295ddf08c8fa1f86c2e048b2417184c5d80b4f441a0

Download Submit
C:\VidMB\bodxsys.exe

Filesize
4.1MB

MD5
e38f9c2a3861f1f3f9437c448bdf4b36

SHA1
334d460523b97528c6d312221c1da3bdcaffa38b

SHA256
a8c9da453eefe187ae544acbeb116d0ae8556151c659f546161320ad2ba729a6

SHA512
2bf469df9ddc651110ef10fc232062fd9c1c87e7e5a7599c1ecde49e8a44e4fb4db33b0cd0e105871df3c007518826846cfc739d537764d2cbe47ff1ea48fa3c

Download Submit