f600974679db9d77f557ffe6359b6591021159821caad1e0788b7aefa4d66872

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
Size

2.7MB
MD5

38ecc1d6a1d952d53d21f2b8d0cd4570
SHA1

eddf6ff07e266aeedfcd6513bebf1ce347b42268
SHA256

f600974679db9d77f557ffe6359b6591021159821caad1e0788b7aefa4d66872
SHA512

e0c68ecc30d04e640a8c4260191730e3fd278438cf195890e29d3907520f4fd0108a8a0e137ccc7b318ab9a12ef44486a0e59b269a343485bc39dab755c6efa1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSq:sxX7QnxrloE5dpUpFbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2936	locabod.exe
2536	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBK\\devoptisys.exe"	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYJ\\optixec.exe"	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe
2936	locabod.exe
2536	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2936	2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 2936	2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 2936	2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 2936	2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 2536	2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	29
PID 2392 wrote to memory of 2536	2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	29
PID 2392 wrote to memory of 2536	2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	29
PID 2392 wrote to memory of 2536	2392	38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38ecc1d6a1d952d53d21f2b8d0cd4570_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\FilesBK\devoptisys.exe
  C:\FilesBK\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesBK\devoptisys.exe

Filesize
2.7MB

MD5
0a5e7da959a72f39dd00134ea1fb7c49

SHA1
c0fb043c033d3a4446d6aa46932ff1201b016ff8

SHA256
0e4cf867a7cf8d77cb8adc971bceb8d1d5ecff478e37f145c08836d97b713ca7

SHA512
328190b71689c618f6d86d2ee6cad4766b87087b8abf628baa13101ad0f1178c9708cc65d8824b85b1bc9dbda9c7d550f1e60e65125699228553dbe444ef1780

Download Submit
C:\MintYJ\optixec.exe

Filesize
1.5MB

MD5
e6996ce8f6cdb03f907fd1fe14dab339

SHA1
41036a73988f7492cab14b2192fc4b05be853d4d

SHA256
5ace50d2f4ed3171dd43fec616d4ffc2d87ef00dc4ed735fa8e1360268983ab0

SHA512
e2a4548cc7d94423bed9a3a631384bf2a7adb2a8ad562e7773271861743559d48a14dacda9ba256862821ed7df5c1bb18e4503344ffe1201fb49384a5b80e644

Download Submit
C:\MintYJ\optixec.exe

Filesize
2.7MB

MD5
3e3d429aee9ef021b09309d7ee1665d5

SHA1
215f060347c00202986b13a2015a91a496c18498

SHA256
143f405c8e6a546925438d61f93ecc45d613844bcd37b01fe9cf36e33b5251d4

SHA512
9274de327f37ef34709007c88ebfca91dd6fd4187bad18c493f45e1bb2b229f4c464ce56a61747569e3b5ad83d0b7fab94c219fc578265195674254ebb3f8582

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
dd43636ca9a5482727977cefe153906a

SHA1
517794465acbeba2e2564725b6308183a278bb3e

SHA256
51d36d4becdaaac8623a2f2d4de44924d4624d5ee2a84cd080d5865921e0312a

SHA512
5415f77b55b09f8ef6d79419f8a365cd3f7f27b23cbb3651e5835bd3c0f72026e3b63d214b954659fa5ad7375e37eb8386adc2eb3bd02b9fa6304b02d1629353

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
b43427d38328441b54eaef90ff136aeb

SHA1
cf2e00bc38876e3fd970c5da366042493f96187e

SHA256
0f1ff40606b099bd8043bd7dd52f20933038a1bf55f725dcd46c66835bd75207

SHA512
70aebdd774757dc1d8ea773a7e56a7fe5f12a6d21fae1efa72c47169fdda2d1ab7071d80017736f894a96759aaf2ff89aa9b676f8f0d1cce94b11fe7de4e0847

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.7MB

MD5
eb853b88818bdda226ee6e24cbffc74e

SHA1
4f854e380294edc17718e6c6a5365716b4b5397d

SHA256
1082e1b56b26bc78c101dca6b3db307286b0aa2082d6b64377b280089681d114

SHA512
6e0ede8d0c7755083209c2f1d305c0d7897644213db180a5a7bd059bf106de32f203e65dcf0dc06b52366c74f9ce7753a4483ba501f0fb6a8e3d5d8cded7288c

Download Submit