f5842ecbcb484bc13e9bcc8377c37e07195036d7fb05c2ede21fe46ea0151ab4

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
Size

3.6MB
MD5

6e1ab494035aa17d07a3b8c8d0dc6820
SHA1

37b0d34c7e04784b020aef0436447a738db8857e
SHA256

f5842ecbcb484bc13e9bcc8377c37e07195036d7fb05c2ede21fe46ea0151ab4
SHA512

18f9faad312fd3dd034f7668f1f5fbeaf34a435f99fa4c5845acc43dc40959a5743b74efd8e0fa1fc78f75b9992084033be3bbe8516a83c6711b8536a877178e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpdbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1304	sysxbod.exe
1052	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv87\\devdobec.exe"	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYN\\optiasys.exe"	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe
1304	sysxbod.exe
1304	sysxbod.exe
1052	devdobec.exe
1052	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5636 wrote to memory of 1304	5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	84
PID 5636 wrote to memory of 1304	5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	84
PID 5636 wrote to memory of 1304	5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	84
PID 5636 wrote to memory of 1052	5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	85
PID 5636 wrote to memory of 1052	5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	85
PID 5636 wrote to memory of 1052	5636	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5636
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1304
- C:\SysDrv87\devdobec.exe
  C:\SysDrv87\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintYN\optiasys.exe

Filesize
1.1MB

MD5
6e48d44a2a7b87b8a12c9f870126dda9

SHA1
ab6f43b0e31424c7359180e7fbc045cc48cbafd1

SHA256
e75867c426719c4dbf6b3bb96bce309c8b1584df77e929740d2ad4e62bbfbeb6

SHA512
37555fbe1b080936e301ee7b29c0ee2e78fcd83a5540bc7519def4c944490517c8869c4cc96abff853811c6a25363d29f0811274a01381ca8a5d893a789b4889

Download Submit
C:\MintYN\optiasys.exe

Filesize
11KB

MD5
3193f6732970f64ca3094d85171d7380

SHA1
0d2f450337cb69eafa727d6d6de40feb0750ba1d

SHA256
e09faa78045b943266c903ad6e7b69a1069ca062bfda7c5f794f8e9e7eb9ad9b

SHA512
b23afd97dc8f9fe6ddb53b3a780345bde4ea50f989055db34d69d243649f4b7cb2c2c4429e9fa318a396fe363aaa923f2c261ba475390673664ac4fda7c5b3f8

Download Submit
C:\SysDrv87\devdobec.exe

Filesize
9KB

MD5
16a4bb0fc3d5c44be3028068af1ea1ef

SHA1
3525da0805ed7773dfef437f24482b727389e9db

SHA256
cab09a5b3c3d84c5b8a2e11a35c3fcb95b6436b3dff8502d6b224492feb4c94d

SHA512
b487b3eb68c80afed0c6cdc0573c466508b36730b7cb654a78fd17c162030a3e5fc360589888ecede135747d71fa86eb3f8f59425aa66780d4645629b11efe9b

Download Submit
C:\SysDrv87\devdobec.exe

Filesize
3.6MB

MD5
f680b3f5df637f8af39e6ae3f85f9468

SHA1
fe7ba7fb834d0efdf7ad886bf22bb3e0bcca7d16

SHA256
5f0c3fcb2ce5cf05bc447f24b905a4b93ff7b9d6d5e739c9602136529239da5c

SHA512
41dfdc4c6d9bfb532e287fd340c7509d4bfa4f22128090e5b3ceb37fd21358ebc892d3cac52e5cf51b81ae65fd297e024bb5135c4e2f002d75a60860230dcf74

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
9e7d057e1c486258ce0cf947d3d44f6e

SHA1
ab9b38f5d5574b3dcb4bc4674b791fcbfca399f2

SHA256
fa9525f60b328c003473fce413681d0dc32d5cae699e3812fb0fd33c6f85a94b

SHA512
41d1627719d8b0831eb1f7fd65ff51cd8d6fc423ac8841ae1e19517382d7854c9e2e0a405b66ba3e68d7582f38f805fb369bc8fe3804bd5fc1f4a238c1dd4304

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
ad5407c2ec688aa847d4b973670ace2e

SHA1
5180db9235fcff6e31ab926ec739109b49242311

SHA256
8f8e5ef6fefb485c51d633e697e1051e8299507dc4920d9554c968836311d26a

SHA512
8d3799032be229bdd1f00e78e0b032d19f48caa3bfa7a3de84912adbc74f555b98b20d3ca217c5f9f12650266aea46f9c79433184466bf28dba5397fb151e242

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
3.6MB

MD5
a1c105bdb530bfa3f0452b0d94a9261d

SHA1
1d716d7981feff3927d9801e6e64f24744a4918d

SHA256
37ef0448c3dab64d7170b011eff68f08dc332fa5d1807b3baa6456c330bf1053

SHA512
38488f17b50bf522cecdd47b06d47bab4fff072112e9a708384469bf40cd9092f17a7db8765822babddb9db6938552662ced91e48e65e7f2ce6ebd103c6451d3

Download Submit