958d5d9f0681d3d23a75e88c013c79f0f89b1b16271140303c7e41a9d795d99f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 03:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
Size

3.6MB
MD5

9984511d06af086d3772e9e4a947fac0
SHA1

c78d2995d304cd9053fd6e12412fa20530cea911
SHA256

958d5d9f0681d3d23a75e88c013c79f0f89b1b16271140303c7e41a9d795d99f
SHA512

684590846f597248cdfb44610c245f0ed86870dcb2b43c32b8b62d3f0767ee0bc78975b6fcaf4d1ada69f431d8e89950561e28a829f08951d33194d35ba2e19e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8:sxX7QnxrloE5dpUpKbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3084	locdevopti.exe
4956	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKB\\optiasys.exe"	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv71\\devbodsys.exe"	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe
3084	locdevopti.exe
3084	locdevopti.exe
4956	devbodsys.exe
4956	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 3084	948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	85
PID 948 wrote to memory of 3084	948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	85
PID 948 wrote to memory of 3084	948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	85
PID 948 wrote to memory of 4956	948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	86
PID 948 wrote to memory of 4956	948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	86
PID 948 wrote to memory of 4956	948	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3084
- C:\SysDrv71\devbodsys.exe
  C:\SysDrv71\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxKB\optiasys.exe

Filesize
3.6MB

MD5
90557e40056c12ccdc45e7fbff1864d5

SHA1
e106d59091db46a52090e9f005a2c1c1193f024b

SHA256
4f7493cb7f41d721123fe4a986b91f46ef76d9706075d2278422f17ac40cfca5

SHA512
fbde70880aa9517c598e67f07c613f7522eeab8675d5bbf27df2bf04722351761839dc82a7b734c500b3960d2ed6d4eb72a6d52c4fa4283f1d63073aa4fa4e2a

Download Submit
C:\GalaxKB\optiasys.exe

Filesize
8KB

MD5
1c31992317278cbfbb062cd4732b9020

SHA1
b2953bc21d0bbd03b25aba4e7b3d56cc63708195

SHA256
0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0

SHA512
a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb

Download Submit
C:\SysDrv71\devbodsys.exe

Filesize
1KB

MD5
81306907a8898717e74eee7fe3ec9748

SHA1
6871f1f920d712de6120473f387e1497841b3829

SHA256
1b17bb743b1a2dfc12895dffa0a7b9b5daf090d66b71008fe29879bad1786322

SHA512
205b7de43c582a32ad49cb599becf76511d0269af1df1adea82987826d020f7e62e8b53e8f82da5c2f44154cdac459eaa4fb29ea6b720b0cf9d5e5148fb62730

Download Submit
C:\SysDrv71\devbodsys.exe

Filesize
3.6MB

MD5
6c82a1595710aaa79e98ea7354ea5a62

SHA1
66a904917e539a2c33497544b3c2149164cf604b

SHA256
4d845681b8bd54bde03a6d7855a264ad248c75a69de8f67a11548e387c1e9ffc

SHA512
5148fccf9fd1da410bb130689d033f24f9c2c3b715a5c4f6f0aa498cb5a4c437ec696a4603ad21b4406971db5a3ff5644f5c0d2ec8c20de0fe1119c44f4bebf5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
4ab878bce14a4a2691b1b841883241ef

SHA1
1b76005670fac1763580160a468ca70cdb399f5d

SHA256
4d55ac6ae3a60efe56d35818fb7635728867996bead743d26050f1dde433cc6a

SHA512
c5a0fe760195d2b480da8dc6dcc46239405a79ee52bd014c9a89a01292b849527eba9e36603b1d4a42aec5b5c92eb79d7ec4661d3ce3d7079386c86d70f713b9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
b4d4d7530cc980aebc4cd35589cfc9cf

SHA1
ea88e3b94d483dc7ca03bf41ba2cf4e8542ed517

SHA256
666e4d574ee19e2f928fb3aa520fdda25620c80414b41ad8a61860707eaf3299

SHA512
9b9c410dcd4db05c733d9171a9317803ed26c263b54fea0dd59132983f37e3e6b13a9486e0548d6ece1337afe4dd2484ed9d6d8f3a2e3e3e5fe6a3eb1578d634

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.6MB

MD5
5ebbfd71b0d11a75ea3a415808ff7552

SHA1
57a14f6039ae428807189fb0f9bba481917d2a93

SHA256
4aafa442befa17fc09fbe445c6362248618fd2b0e0405dcf28d43df3b52c3070

SHA512
5250abeb1078102c1f4d7e3d1762688a9ff9c6f0c42ab27c1efd8b3e1e1019d6435c1708e8bb643731937bc3480f8b7c8749d02e0c3752eb9845624e017679a4

Download Submit