25f94ae6eb5211a891d3f5fafb682f8ee58127a66a76206cdaec307e44876612

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
Size

2.6MB
MD5

dd98876c74f3982f22a782b9001141f0
SHA1

98dfbc262c1c2b1fb5f69895e9b4d26f58d38cd9
SHA256

25f94ae6eb5211a891d3f5fafb682f8ee58127a66a76206cdaec307e44876612
SHA512

60b7de28b7fd761597ac23fe8a98ce6731cd9fbb5738a036fbb5625ed6c817f8d28921d04881c507dc7b7bb786e9e48906e0317ace1a91077c44a49370afe13e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpub

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4732	sysdevopti.exe
4856	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHU\\devbodec.exe"	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint94\\optidevsys.exe"	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe
4732	sysdevopti.exe
4732	sysdevopti.exe
4856	devbodec.exe
4856	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 4732	1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	85
PID 1668 wrote to memory of 4732	1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	85
PID 1668 wrote to memory of 4732	1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	85
PID 1668 wrote to memory of 4856	1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	86
PID 1668 wrote to memory of 4856	1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	86
PID 1668 wrote to memory of 4856	1668	dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dd98876c74f3982f22a782b9001141f0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\UserDotHU\devbodec.exe
  C:\UserDotHU\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint94\optidevsys.exe

Filesize
844KB

MD5
e8b1c4e8852a90a5b53a27af15ecce45

SHA1
96f220254aa8f1a8e3f0a6f3a83cb456b8356d0a

SHA256
45b9dbf962982c76acc4c3c3abe09e11a096f5f29f6cd60b4c5a7488e065a8ee

SHA512
4f475427bb954d50f078df75b5e505c25f21fe455f8316bf249fe35ddb4d1870479f51dfd82f23c90eea08e6802796861a87746ab80c44f882ce712acca2f1f2

Download Submit
C:\Mint94\optidevsys.exe

Filesize
993KB

MD5
8787b3079518903971ae689ce8a5da34

SHA1
b2907da6e184b14779581f6e9c865e0ccac677b3

SHA256
cb47d03ecf9ed5a014eb9d10453da7764e23eacd0dd79a11cfd36f3edf315a32

SHA512
b68be7af4df417252b182af7a80d7f13aa1c9bf88ff23e6c1df1adf3c84f5280fea610e342308b9a1c45c87dbd2d4739da0d0a5df321bbd5357e6e128c3df441

Download Submit
C:\UserDotHU\devbodec.exe

Filesize
2.6MB

MD5
9c30b702d4662adfea134d1cab1566ae

SHA1
7ec28781f3d0a5a016ca29469f37a3d1ede832ba

SHA256
dfc5d6bd7174690d25bda1f62dbcc208c65f995362589641df12eba5482295ef

SHA512
6c0351b5a780bdda2aa53eddf0ff4bef06f9665fcf8ff7ccfcd4c7622339f3200381ac00106da005c4d8c03952225a006c0ebd84ab57294cead0d497516baac8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
85207fa0fba00942edceccded9fd1c82

SHA1
c8a5e5fab03335a2573974e9f7eaa2a03f50a94d

SHA256
944440fbf08d9d0e1494a88c0cbf730e2cb2bd835096c2a6e4788b0cca86ccb3

SHA512
ffda7270d4c9d8ac84a8f5d1ac8f1eaf5e490d07bf1a4ded84210dbd90207eb5b9474910c22301a4a0599eaa0604f8bc89a8f0aba9bd4f2fc313c3ed6817edbe

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
fba360ae5fba4b869088e82485d5f01e

SHA1
10eb25eb886792d6a0bb3e288764aa97ada88f5a

SHA256
4af3d505ed2e942bff4bcae5ee74fffa31f2972422aea6fbc9a5b0aa4b9e80d5

SHA512
29132f55698633ac35174c3f21bd6476a016dd9010bc560cdce28ba8a77af555ba513d4604bda6fcf7f3d29bd75554bea1fe59dc50de4769a0e0b1be06faf802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
3574cbcfcb021ae3d9a1e46d6d4fe791

SHA1
e56af8566bb83785a46f2c24d4f534220acb2c62

SHA256
15ab7a162e77a2a1a2bb5e279c0f7cab97fc1853607c089808a6250ca35303c5

SHA512
6968e0e04d96b4ce875b83eeae78b1dec5a8216cf7faa9e76078e810dba4ff372e10d1df40791e3b0df911ec5f7cd26e5b7bbb2f2e617fb07e16e675dafe0d70

Download Submit