d276d9f389dafb93af016e1bb14a78c1ab84283c58a8eb92f7d8e82ccc7c8d20

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
Size

3.0MB
MD5

28bbf812878661f90ccbda967e5a3010
SHA1

c462ad377cc3167688f02d48442d19732d2c3b3f
SHA256

d276d9f389dafb93af016e1bb14a78c1ab84283c58a8eb92f7d8e82ccc7c8d20
SHA512

dce6ee65fdbe8e921a2b0ecafe3545be53eb153b1992c09de6757444e17e128aa0373674f6441e998b32055dff96c6abe5ec236e40ad8e4e08134a4665ec681e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8b6LNX:sxX7QnxrloE5dpUp5bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2044	sysdevbod.exe
2632	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotY6\\xoptisys.exe"	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJI\\bodxec.exe"	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe
2044	sysdevbod.exe
2632	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2044	2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2044	2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2044	2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2044	2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2632	2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	29
PID 2964 wrote to memory of 2632	2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	29
PID 2964 wrote to memory of 2632	2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	29
PID 2964 wrote to memory of 2632	2964	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- C:\UserDotY6\xoptisys.exe
  C:\UserDotY6\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintJI\bodxec.exe

Filesize
3.0MB

MD5
d9e59ef23c169326c242980e84dc585c

SHA1
6c99b71754f833a3a4fe5fccabfb1d47398672a1

SHA256
7cc4fb54d4e143f6b93304ef327ae0f605d0d5152b4e8863bee85ceaef26cc11

SHA512
db7df0afd1d9c60731fe52a2e94408d61e9f324313209875ad35c0eb883ba3d6abac6ceb885e4e9872de03f280748524d4aa1557d0c997060c252a9b77e80dca

Download Submit
C:\UserDotY6\xoptisys.exe

Filesize
3.0MB

MD5
c1bbe5acbc35f0e38771bd42187b4a73

SHA1
d1fa97076a7e782587030d05a074903ed1622f2b

SHA256
12c3bdd75f6165ec1f5fbb44f614d97119bcbf51290566d0f1cb8b21c1414747

SHA512
edbd91460abd9fcaabb16f1e73c3046b792b9d494ade8573caf30db4f3ec7098ecfc13cda95119c979019ae0ee34fcbd59f177bab8ba6c36acdd754ceaa31c4b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
6b861a82c597526552e4c0f9acd66057

SHA1
1a6f412a0661432d77c8f2c904249a1148b673b0

SHA256
017f24a6d5624b824d70d0e0854690668734cb16bc310a898a04cc4b9dba5855

SHA512
cd5c294477bbbf7eeb05d762cba6fc1701b842f34b9acc4fe84a963c9f2650438f24e4728179bb979f964323cc6d99496962ddafa2ace23ed1d9f129b9564779

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
48d3a91171f377f1bdf5e91e760735e2

SHA1
6853e464b983f0f80521c901cf074bf2c3b3af83

SHA256
3244e6f99f33852ca26c1376ad58b9877e1b9db7fb0b8dec3767767fe475d349

SHA512
c3c2d9a0125b5b64626313571d0cf1936b8afb778e95438de7a55bd885b5fec74acc64e08c1e3af5fbd550bce77683ad4bc74190acee5320651091c88abfa299

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.0MB

MD5
f5a0c593f1a32bfba19a7ebd0593af07

SHA1
2bad29a4b9376bcd44974df3d53473c60eb22e29

SHA256
a5607130f26b0b1c129ea2d405da17b953f21c5b254080cfa8956f0e314ec1ea

SHA512
e90c42d27652a85d4a01593eeee1b13de5c255c042ba2564842f07f50121dd879c4d8adf97da0d2d694382a34110d100eb7896a1fb47ee1a8defdd550fcd273d

Download Submit