25f94ae6eb5211a891d3f5fafb682f8ee58127a66a76206cdaec307e44876612

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
Size

2.6MB
MD5

dd98876c74f3982f22a782b9001141f0
SHA1

98dfbc262c1c2b1fb5f69895e9b4d26f58d38cd9
SHA256

25f94ae6eb5211a891d3f5fafb682f8ee58127a66a76206cdaec307e44876612
SHA512

60b7de28b7fd761597ac23fe8a98ce6731cd9fbb5738a036fbb5625ed6c817f8d28921d04881c507dc7b7bb786e9e48906e0317ace1a91077c44a49370afe13e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpub

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	sysaopti.exe
2620	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNH\\devdobsys.exe"	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW4\\optidevsys.exe"	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe
2896	sysaopti.exe
2620	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2896	1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2896	1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2896	1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2896	1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2620	1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	29
PID 1736 wrote to memory of 2620	1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	29
PID 1736 wrote to memory of 2620	1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	29
PID 1736 wrote to memory of 2620	1736	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\FilesNH\devdobsys.exe
  C:\FilesNH\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesNH\devdobsys.exe

Filesize
2.6MB

MD5
8297826a92c32cf4957cfd881d459545

SHA1
fca268930e30ab513727129e57ce468f537f4365

SHA256
cf3596ed14b9fcb90849e60bb83e3afd8941320d3bfeb38c8e6d3c5244f16147

SHA512
d0a42709e3e3787dc90fe15eb3a53caf0ee516651b0899972a7bead7558c33e7dacc570ae3c839e496b527d525e619bb607fa7760fa56004c8aabdce95a8be4c

Download Submit
C:\GalaxW4\optidevsys.exe

Filesize
2.2MB

MD5
03c0686be5f2878f32b544222f0290cf

SHA1
ef8146d5f756e3535286cfa3f2055c72e4d66bc8

SHA256
fa02f7e522a4e404c43ef956ee292fb0d99ee2b4bbf0feb0337da33c15a47345

SHA512
351a93308b22670ed9820918c6a55f6747d6584b1db821e625f98bce7001f7a3df2b03ecbdb658c7e00d52ca6eaa5291b8a273b4663fb8858a0ac9f240c8d388

Download Submit
C:\GalaxW4\optidevsys.exe

Filesize
2.6MB

MD5
06303ca55fdf1309caafa7b0941dec1f

SHA1
1bad77b0c11ea612e0eabef7dcb82ff5e33075a9

SHA256
48e60101bbb0639e995df5e4188d78dfc1757b86513e5029a9edc735ac89dd81

SHA512
80999987b17e19a62a4dc03c790259f0658366ab447de2d02f06bd83aea16dc017cd2baac332cc34e2fbaf91a75f84d04f19e2e8d738a25403659aefdbae12c4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
d1dff0904a8984a3549a33ba48663046

SHA1
5a0855418a68801cb27eb478481cc0606898c2b0

SHA256
78005de5783d8e7f62bf3a15dd45c97d19f344db5458a51de1e7a405ef2c442a

SHA512
3aa512acf83a04055ceb3fd3755a5ebba3beeaf4a32eec2cc5d29a40a74606f8f5dcf04632a8cb0d6d49359802755e51c046f3a6d8cdbd947605c15b32eef38d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
360852f022979609c5317969978c48be

SHA1
6c1dd03628f712690457f674964e6f0e1d3c1bcd

SHA256
5693755ecf5eab27806aaa6562f84fcbfea255cb22d983228f056af4ee2e6a8b

SHA512
34fedec32cf010aa1886fac1c43f5b77174402f3391e64408fdce82a9bd48fb29d0d8d7c5fd5cfd46a046104e2674ef60f927391c0b98aca38e3ad4af25b7e72

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
47bf734b38d1b85a36095d2527c7ea22

SHA1
73943a5982ea11e3b5d117c28f8d0224aa1dd8cd

SHA256
ac9251d4e22db1e0dd2ee35865a5c0148c6e18ba0a507d20aa29b8196085a062

SHA512
5c619fe014e7cb1e7bd7335deb1eb0e7db782000030cbac1a405f51a7fd0ce8bf3902a282b84677ae6c4a9d7c4c5b081dbc8a04ba23aeb55ce586751545a0855

Download Submit