971d5209e24d1c0a7d13a91ecae9dc9c95a12b88810a1f77d99a2e7edcdfeb1f

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe
Size

4.0MB
MD5

4144ce527790055a2f7659041e9bcbd0
SHA1

4970d21a39a9d00fb30db41dcef8f37f0fcdb853
SHA256

971d5209e24d1c0a7d13a91ecae9dc9c95a12b88810a1f77d99a2e7edcdfeb1f
SHA512

f1724725701dd4fc9a0c93bcbe1cbe25fe09dccf38e9b9505c489d7156ace9a93c32c4bbad3bf2833bf5f467b59e69c30c4a97112eb50942e61a20cd17d7d8e4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpCbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
5072	locabod.exe
3704	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotD3\\devoptisys.exe"	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9O\\optiasys.exe"	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe
5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe
5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe
5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe
5072	locabod.exe
5072	locabod.exe
3704	devoptisys.exe
3704	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 5072	5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe	90
PID 5112 wrote to memory of 5072	5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe	90
PID 5112 wrote to memory of 5072	5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe	90
PID 5112 wrote to memory of 3704	5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe	91
PID 5112 wrote to memory of 3704	5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe	91
PID 5112 wrote to memory of 3704	5112	4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4144ce527790055a2f7659041e9bcbd0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\UserDotD3\devoptisys.exe
  C:\UserDotD3\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotD3\devoptisys.exe

Filesize
4.0MB

MD5
476f82f64ab883b625c40d6773320506

SHA1
9c8e2f694c7f8169d069401a7ad6d927418101d8

SHA256
61270aee4c4dfa55c1aa83d3c43f8d54245ed2354fdc2a58386ac1907d2aa381

SHA512
3f1072b7f80aa34970d64f50336322312aa95db236fe740eabe7816f51bb25ec25681060cbcfe73c55858876ba388620595c32b62daab4f21f1e5744532e1a4f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
e7bd47f9f14080f28a76d309a7c0efe5

SHA1
c7ec892d699f388ea5aa17d5c842167622f0626f

SHA256
edc0d7e8327c5872e0ab4dfca7a8d858dfd20ea12fb303675504f49a17922073

SHA512
104862a81b14cebbe87a4be0a2783876e845fe1d3b60cbc65c0278ef4a6637af655a109501d7cd293d1129fdea991a70afa0bd5e28fb319aa0d5764d39f0f772

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
e2a113cafd26311be2111f7d84903702

SHA1
4bea2269feef2a092313c097161202b1fdf27d58

SHA256
33e28a467ab2d19d09378396208b29716d279ecdba34b74eeb8d4278b48b75e7

SHA512
23c61f5e71e5f19a965c5c6c7921e54d5bdac787321f0644a65ede48672b4c3f6fa308b3cfffbe39e61f8d9cc44965e9616000dece38f7cb953c1b8f7cd583e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
4.0MB

MD5
5e8f5367940b3d69da26466c7f1355fc

SHA1
ee871e41a870b9c02dd36a397fffb8ab159c64da

SHA256
29407907c0c188c7bb42bde7898a11a1554f063ec282cd78564915266f3de7d7

SHA512
4eb91a7362052fd275ce8138777d24b179a4b251e355fe798225163e04ce7c3344a501ab796614af7b17da9ba9e9e5a7bb1e697f1014e2095146ff87d651333d

Download Submit
C:\Vid9O\optiasys.exe

Filesize
2.4MB

MD5
158a3a727d31d27f887802c7700b6817

SHA1
37f1c2d1bd90d539f0f13aff6eb9346008ee5afa

SHA256
71cda676558374b6bd7952d9fbe94e9e6975f4e1ee36cd0c0e907d2195d8ea59

SHA512
e7fc44c9738494610ca77e59f6ed5b59c0834d722bc9a652d36bdc383f13fac565a0e104a18c66f9d338183a78fe57311fb8e0f2ea8714d480b046ce2a19f1cd

Download Submit
C:\Vid9O\optiasys.exe

Filesize
4.0MB

MD5
3ccbac38af641eb39bfdb81c16b000c7

SHA1
49de2fc26b7236986c76dc16924267fa927e9dce

SHA256
c49944a0f89de81572338b4b8b83fca1069d77c45556e89673be66c0c3c6530c

SHA512
9737a726566a50393c41ccfc1eaacbaebe9f171567a977466263c8752e0780b174b3fc6df596c73a7d6b45d4d265569f8261da1799a92dbbfc8dd14ea5ce3eac

Download Submit