b7960cc7d8d05087fa6f56b0b1057ceea00a855d4cdd2c6171721d7f885773a5

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 20:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
Size

3.2MB
MD5

01931202deb4d6eaaa8fe9ada88d0500
SHA1

f728722386245783bf433d71bfe02c6ddd2dca61
SHA256

b7960cc7d8d05087fa6f56b0b1057ceea00a855d4cdd2c6171721d7f885773a5
SHA512

c707420a525f535378f86f20c0d9089183c99da009ace83671389b370cbee69225afbec7061eae7ea7bac95f2775c6cfff2dd90719a9f60922ee67ca57b9676b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpKbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1792	locdevopti.exe
500	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8H\\abodsys.exe"	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6U\\optidevec.exe"	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe
1792	locdevopti.exe
1792	locdevopti.exe
500	abodsys.exe
500	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1792	5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	91
PID 5004 wrote to memory of 1792	5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	91
PID 5004 wrote to memory of 1792	5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	91
PID 5004 wrote to memory of 500	5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	93
PID 5004 wrote to memory of 500	5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	93
PID 5004 wrote to memory of 500	5004	01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01931202deb4d6eaaa8fe9ada88d0500_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1792
- C:\Intelproc8H\abodsys.exe
  C:\Intelproc8H\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax6U\optidevec.exe

Filesize
3.2MB

MD5
e1dda0e23df0a193203e60e76a106200

SHA1
489fead8b0c75a283c1d9238ece6b2718b4342cf

SHA256
e0814cd566a8375ee1dfc6e8fe37213254cf41dd0d2b4b99da5db5e6dad97f70

SHA512
629bfa511c384210a2e64736c0e02eaf17da128b08b76fc0f1dba162072c1b51afbeac83e2970ce51763d7224e8b8d0dd720a1020e1b6fa7760c31ef4110cd0a

Download Submit
C:\Galax6U\optidevec.exe

Filesize
3.2MB

MD5
6391e3bd4f2b4e0db24a233c632d5896

SHA1
c46fa1c4bcca0c47f86758fcabb58617dcdb79ab

SHA256
8f4941ef8f751ad4781d3aa2c468ccc64e5de63339601dc109d84adfdc7cd6df

SHA512
a767a4374eb4c0aed5466c60cd42c638c5e29627214cf798d245fe7257536a9f138ceb70a3c825804934be873052f20b856b68daa27fa277e4f334b548beca51

Download Submit
C:\Intelproc8H\abodsys.exe

Filesize
3.2MB

MD5
2cd8f11c7f887c6166161fca328d0cf0

SHA1
16fd3f30fe5b77469c28659119d73496b59f6b16

SHA256
86de84f28b14c521768b246198edf7d17e3356af5fdd937078ec478487a0bca7

SHA512
ce914f99ab4851bce98cec2ed20daa0d36234c1cc5cd69662848e75291beb600bfad9b76a794143deacd5d0cd6ff3bf676f7932681677fe559f4ee2f3d3e9425

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
210B

MD5
e1354dde54bed2e3bd2945901c566dae

SHA1
0a3bf5d97cb0578286c6962f96036c7412af20c1

SHA256
43d6a4b00a6f5b9b742b8d7ecac9667f392ffb1b472bbcf32189b94b657c088f

SHA512
a2d4b5095c4c79175ac8f8264854fafeb1f3ecc6121bf351e9994a12a7f9390bec12c9875dcdb88bf0109fe998d2f2f17e02d2ae3e97bbb7c31fad81f644fde6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
178B

MD5
ad1792ff874d021ad2079e9573db9b5e

SHA1
ec5daf04bfe5d3e5d20fd1ec2e98354167b3c980

SHA256
9c701101a5961d762ecb60e10ca5ff7c7d9aebccf4a970e4ac9bed97ba3c5d4a

SHA512
6856847fdd1a931d44d9057df720924530cc94650e7760e1c50a8023ddd03d7afe45a8f1dc9add5d01cc5367f8eb002a3dd9af45262567b347657c0b1f7c4e4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.2MB

MD5
67bca143717d611f4356708b23570d45

SHA1
24cb749c0750919f165420a131e7b5271a0030f9

SHA256
489ab433d530ef5030ab6faebc3516003b190f9fd8ff1764b1749b9cde9fedfb

SHA512
302762fb180f80bbc026afc38069f19649f228a0ac367a4de43e43b26712af14feb7fbcd46c7239af211826598f7c7daeec9af2ef1e1ca20aeae9b23734877c9

Download Submit