6f249e6ebb3ad3f36ff78e7cd053ed039c70e77e2bfa20adbfc085a2f6801dd5

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
Size

4.1MB
MD5

41d8293d6d470a82147f90db4bbd7e40
SHA1

fefd07c84d228b570be7182fb1f2e045c751cebb
SHA256

6f249e6ebb3ad3f36ff78e7cd053ed039c70e77e2bfa20adbfc085a2f6801dd5
SHA512

9516512dcae7a0d44d0d622464a2b3aae81b6e45e8dd94bedcb70c7549ff7dfb73cf061d174e4a5dc4a3ab642eaa538d2c0c31753c06403152b8d600edcbc66e
SSDEEP

98304:sxX7QnxrloE5dpUp3bVz8eLFcz1/wiAUc2:sxX7QnHoE5dux9a1/pc2

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	locxdob.exe
1736	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4I\\devoptisys.exe"	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2C\\dobxsys.exe"	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe
2904	locxdob.exe
1736	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2904	2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2904	2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2904	2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2904	2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 1736	2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 1736	2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 1736	2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 1736	2020	41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Files4I\devoptisys.exe
  C:\Files4I\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files4I\devoptisys.exe

Filesize
4.1MB

MD5
55d22ad436a7db17ae8fcd23362d6da8

SHA1
a9781a9b4e83824f0a57269288edb19d4d05048c

SHA256
47d584a7c4b639224d5a1caf8af56b6d63347d19c5d46192102a4fe2ec011601

SHA512
fae935c9c9bab6e300c762433812cb6169f5c06b3547473e572c5c4c1f5e604351430746aa076650d4ed14d44593d89c671147c720ad8da5436d6ccefba2af26

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
9bf89eb198107912aacc5468440778ca

SHA1
95cfc8958d6dc0e8b1b41098301ce447894b95f0

SHA256
6754c63839db81ae266bc3b6f638639df6efbd76f3b69d3a91f0738c0977cd0f

SHA512
9f866db166320967a2a3dd526bd8fdf18f0d035d40431e3d9bd4f05267de980070eb5b6258ee6f31a3e3831ffeb53aeb18a47072c3ee878deadfcb77d6ff1c71

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
359e3a7e3177fe2b9452b11d903a2403

SHA1
dbd11b7d6022147ab1b1b050f9fa23dc7aaefac1

SHA256
0b61301add0b8435fb1a38a7474280151c857875caa83cbfc63b43e625946a72

SHA512
ba5887e4c9a86e221b16841624b08f29d994d4c2df4c703e05af0f48ec3cf6ef2c4f9f64b371f9335f6ac6c939c8e80911369b11623cea21ee0d26654948c0d5

Download Submit
C:\Vid2C\dobxsys.exe

Filesize
4.1MB

MD5
88823baa9a9887e9f124f2f0f8372098

SHA1
ccd04be6f02740beaf25ea4a1e52a82ceeb37cb0

SHA256
3c45c5aae123ed149cfb06a3c4df99b3a58c0a01c235b7a8bf607b564cde28a8

SHA512
4a9c1529be2947934078ec16425afbfb99a4767da4fb1edd2118b0b5ec2ad9334ea02091615320f7aae26d26da4a515478c371ba6bc70d8311a589dc8ab87647

Download Submit
C:\Vid2C\dobxsys.exe

Filesize
4.1MB

MD5
2a34a17e2d690151235af64586a65d06

SHA1
e20fdf943ce1cc520509c0ce7e70b4723d41ea8a

SHA256
755aaee0f85da6f451a2dba21c51f6060b4f0dc494ec4c4356d09f312be4393f

SHA512
3b0bb855f52432ab6a397174f147da6cd19d3340432b15bc2186086855f82e5e5760db6a813a32f5e40a4c3ff024c55f6d0e042b5b5d1bb662876ced93cfc5af

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
4.1MB

MD5
9cd8f0344bf46ae462340621c0615fa9

SHA1
630af98ee12788999906efa5b984e19518b46cae

SHA256
a88cebd51567baa490ca3774c8879b5737e09670543a0642acb4b81e218cea00

SHA512
aa342a825d68b74b8bb2fe10fb03282a3bad508e60e47d7e0ed76a0e7d64442fcfbb13d555af74c5837b494225cfce8417bf8503f4b8aeaecc2b11b2e270ddc5

Download Submit