2911a56a090d7e681ac3b6027a9afc482ad6602497e7ca2f57a80f0489c362a6

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
Size

4.1MB
MD5

131c4ad6139c78ca53b4675fe3e82b80
SHA1

5f705b306ecb610e69d8de2fb1fecf2991867a2b
SHA256

2911a56a090d7e681ac3b6027a9afc482ad6602497e7ca2f57a80f0489c362a6
SHA512

0e68e0bd999417f639893da47eb4c1cfa0a0025b143c8abe912150dccebde43aa8019a4be388f2abd186434a029b0c30f9e406644b858e1dbfea6db849344001
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpMbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4868	sysaopti.exe
3884	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQQ\\devoptisys.exe"	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZD5\\dobxec.exe"	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe
4868	sysaopti.exe
4868	sysaopti.exe
3884	devoptisys.exe
3884	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4868	2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	85
PID 2028 wrote to memory of 4868	2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	85
PID 2028 wrote to memory of 4868	2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	85
PID 2028 wrote to memory of 3884	2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	86
PID 2028 wrote to memory of 3884	2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	86
PID 2028 wrote to memory of 3884	2028	131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\131c4ad6139c78ca53b4675fe3e82b80_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\FilesQQ\devoptisys.exe
  C:\FilesQQ\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesQQ\devoptisys.exe

Filesize
2.3MB

MD5
e05abc0a680d94ee80e35ca2fb5db234

SHA1
887c49d63f18e07c845d665f856ac8065e9595ef

SHA256
779db6f3160475f77413d9a69c7a198290f0e15bdea76818dec1c65f7a2eb4d4

SHA512
c48fb9d1e82293c5dc23c16af20a688911643e2b857bcf40b9edd28eb7f917b214a10d3048e44255044ebdcd18d49297fc5f395edc4a9dcfbb75277cfa8fba98

Download Submit
C:\FilesQQ\devoptisys.exe

Filesize
4.1MB

MD5
900eeaac9280be829a5bdf7db7d54b8b

SHA1
baee0d4f759628be4f9b76f88476b78ecf9f6ab3

SHA256
1320b4470ec50ed4ab631481105cffb8d17c07b89beff53fe18de6e33dcb4aa9

SHA512
0c1f16321053e79e2f904b5b2e5fb42806d413c8d2ce50207db065e3b3d4df323bcd973fa50dacd540f5e6ba40a15fc551b8dde34d1781dc7d3dae27711e4e71

Download Submit
C:\LabZD5\dobxec.exe

Filesize
181KB

MD5
69b5f34f0a095a9d9cf1965552ab8ae7

SHA1
4cf26868f975574ffa2cf92464a62ffa5a2abde9

SHA256
d2ab836a5cb93e438b302c94d58cad4616e5bfebe5c68d33e76aac69eb85a861

SHA512
f21199191081fae9fb4f299aca4bbe218f4428880b8896081395f2a5f6a6e3f7941f436c31e4973dd03d049b30545de8f95820820ce8d36f45d8fc3594a5f938

Download Submit
C:\LabZD5\dobxec.exe

Filesize
1.9MB

MD5
0da4f0317d5e7d263484e94c44092d9c

SHA1
2d3790f3e9c66a4568b3b28838985c567fb62019

SHA256
64c6644beae3935571ae14fc903d3a447adf8a7f349d2fb60cc3ede6269e7944

SHA512
ccb4c3862998caef0592bdb4f50f4e74263dae0a1dd6fe9b67196b10b3052098f8384d23c333bebad28dbd686ffcf380899f348d8a2bc306655d948964b40abf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
ea0108d79467771496735fb8da0ac621

SHA1
421d80ed1c2d4a87922a7611d270989f059f3a1b

SHA256
b212d8a27a73612d6c0125d0102658ac19af0cd5bbcf28124a604ea83ebc07f5

SHA512
a72f139400a795a586a96dc235a0c9e329279fd957b536c321cada81e030d7a5a53c0a43b703351078929a488ac967c4ad349eb2d7f644d799540358722f04e1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
f896686aa6dbaa17b6291f4baa2a2fa3

SHA1
61df237e720037dd86fa1a734add2a8e4b6e5c91

SHA256
9f32f07b28c02078144045be34fe5fd9dbe3882c7f213865e4a4897e9e72e5e6

SHA512
1158993c2089867d2f5a07ffb73d845998ecd3f3b48c1d72b7013ade4fa696c38cf2a6456e0f34db591bbf38c3e3d6aed6fd686d5e0cdc6e6dfd4a24dbf119b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
4.1MB

MD5
3be403ca62cf3a1a7b04a07296110677

SHA1
d994447db2aac47b9c056f0c82137780449e4fde

SHA256
c3efa492196a1a8dd136890bf4ff4cc8079a75a4f185bee06e5d352ff625a733

SHA512
80970fa8efe2af1c10d6b054d508c84e1d0bba8c608754700c606897b65202e8dee0dce2a0ada9aa0285284a558d6b147b6d4fa3fbe27b2cece865172aa8e15c

Download Submit