473c62e0e48cb76a573436ee869ee0a0c768d3a730ffe0d95447a2a180d458fa

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
Size

3.0MB
MD5

4a0756aa51b0881347cff5e93276fa10
SHA1

90cf9e83acb2d9fa910a2d6cb53668de5ff1f538
SHA256

473c62e0e48cb76a573436ee869ee0a0c768d3a730ffe0d95447a2a180d458fa
SHA512

5db856e61c61371d332b3ddf34876218e33905af7885ef4cc7b225f7d1e5ed61b43e4aa219a42dfd5d2e5b0ad2f27ee860414bc384109f4c9e3f7a265312581c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNX:sxX7QnxrloE5dpUplbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4056	sysaopti.exe
1000	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files60\\xbodec.exe"	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSS\\dobdevsys.exe"	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe
4056	sysaopti.exe
4056	sysaopti.exe
1000	xbodec.exe
1000	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4056	5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	95
PID 5088 wrote to memory of 4056	5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	95
PID 5088 wrote to memory of 4056	5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	95
PID 5088 wrote to memory of 1000	5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	96
PID 5088 wrote to memory of 1000	5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	96
PID 5088 wrote to memory of 1000	5088	4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe	96

C:\Users\Admin\AppData\Local\Temp\4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a0756aa51b0881347cff5e93276fa10_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Files60\xbodec.exe
  C:\Files60\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:8
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files60\xbodec.exe

Filesize
3.0MB

MD5
1f86cd0b70283c35f2a2a2d776f29c39

SHA1
b0079720d9155be9eef13a80c737ace574f33d1d

SHA256
fcc63132df2d5fcc5b6d0cbb77fd6050245fc98aadf65d10d630a86a06f4cfbb

SHA512
7bf4313d0ee2757318986695807c696ad1167bab411f21f906eedca90a98ee7304058c425430d9ad591feac27f6d69a332dae1a7bdc7defe156b95899a3d60a0

Download Submit
C:\MintSS\dobdevsys.exe

Filesize
3.0MB

MD5
b906291743b33d1edb241a8d1d567c4c

SHA1
5b88d83b35fd640d23db78935295bfea5b0d1b15

SHA256
6ea804d598a86ff065616310a115dfde3c0dc1924ef8f785ad782fe5da99fd43

SHA512
cbea5f2d705bec9f19333c7f28e4c86b98091062d8b28781aaee3c8668b325517abaff61f2c787ae6e45c2d029b279b36382d6e5c3974478ddc193db99e0ce11

Download Submit
C:\MintSS\dobdevsys.exe

Filesize
3.0MB

MD5
02686b7e4430f436c1e92eba6d14d7a5

SHA1
a96ffb44bad929239c6fb72613b364cf1dcb1150

SHA256
56aa5ed8508bcb4ea2e06955d99c67ecea34b768cd2de2ed6a0fd3496dd9048a

SHA512
078b4b84fadb67b8f898989956102923b514e597c753a079be2ac4dff5ab7e280463d413ae211e1e24efe0f63d5ade609b77b4cb6db47331a6d40d6c8fad0be5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
19823e539c564e6e19f8682e13f7e141

SHA1
09624ccada6d7c3daf35c2a4d9776a79837c3d2a

SHA256
b0bb03fa08f9b383312d842749fad119740e3f697fca93d523c1d771e90184dd

SHA512
537d1b1da90edae6a8010ead121599dd4452a7b69f53286e4e11d432c98a36f0cefbd171500d98622e6cce98fb0b6157dd4633633eade088a712ebbd17f81dc3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
dcdba2567b572f92ed266d6637f3d0c0

SHA1
ae2fe5f2604df9ce9bac12d6a3f3a57e4696938f

SHA256
e4ab72734ecb80cda084e6126dfb221e8254ccfd213eefeff0dde57070ca052f

SHA512
007d6d1e7f8b05a0af866835f14b5cd53cf1dbef43cad61bb289eb59bdcb9e16173a049ca17053c73d6c609c91b6ebf15f18094c98f469cd7f42008228dd715a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.0MB

MD5
6e3e09b93428b3074b8a7456097e929a

SHA1
b7ff5c789de5c5bdbe043727d1ecb7f1e538b9f5

SHA256
2ab05cd1d6dbdcd65e8464c577c8a56b0856b3f1a9ddff97e88ac02f91ce0e18

SHA512
80f49d9c705d0097b9f82780d89058317ae2272db83735aefe7d7c80694f03fa335416a7b3e3022c4a70546a45e42701cd8ec001aaeb9c65295f2c9320caae51

Download Submit