9e07639e1f063dc70b20af9bfb469658064915b0c814494f12cc28c1348613e8

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
Size

4.1MB
MD5

89606ea9cc1e017b813d55868d8bd980
SHA1

aff596ddbb9d76ad31411df9166ba17bea8c4ca3
SHA256

9e07639e1f063dc70b20af9bfb469658064915b0c814494f12cc28c1348613e8
SHA512

c95df2d0739539a6edaf8cf29477590be14183d7a910131d1cdceb3ad195dd11067ae69fe3be2a15db4e28af6ee0737a4c539730cbfbde5449ffeddf51605fde
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpcbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2004	sysxbod.exe
2636	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVT\\devoptiloc.exe"	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintB3\\boddevloc.exe"	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe
2004	sysxbod.exe
2636	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2004	2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	28
PID 2792 wrote to memory of 2004	2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	28
PID 2792 wrote to memory of 2004	2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	28
PID 2792 wrote to memory of 2004	2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	28
PID 2792 wrote to memory of 2636	2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	29
PID 2792 wrote to memory of 2636	2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	29
PID 2792 wrote to memory of 2636	2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	29
PID 2792 wrote to memory of 2636	2792	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\AdobeVT\devoptiloc.exe
  C:\AdobeVT\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeVT\devoptiloc.exe

Filesize
4.1MB

MD5
8c9a1c59752ab9a406f32aa091b9ab9f

SHA1
a1e9a87fd1ea2442850c54bb9c7c29b571a2a71f

SHA256
55047776d4d31d3a8eb0fadaf615d0b8cbd3c1654aa5b014a376bae073de4d64

SHA512
9b23f09e35eb46f91dabe303fefb0436476a394d8159f5900db40a09d340abf2cc5d192ad934b10c5e2d3e4226c98cabc38937b58dfbfbdb74631ec28964be8d

Download Submit
C:\MintB3\boddevloc.exe

Filesize
3.0MB

MD5
42f0581d5302d9e38a7c3cdb252ec6f6

SHA1
01f2170cfa71f10d1cb922007fbf7fabb40769f9

SHA256
6bc3572848df164d691fb6db416aa2ee311c604985d965ba7fd0c02c0010c84a

SHA512
ef70db0d0f90763bf36cc19d09333c6a8644bedf792d5616bc73c5b3f6d56c2659fd0d303415a434610cbf509b0e6052468c6aa71642c3aa52dab9e647ca6a88

Download Submit
C:\MintB3\boddevloc.exe

Filesize
4.1MB

MD5
4dc5e3e0a6ea71b3808ec043648bce75

SHA1
6d7b8a20d7ce21c56e6a3277f90c89e8a537b92f

SHA256
a2db54621d074772fe08dedd2f5ef6a3e764e811eb6558f3216d52003b92fdd2

SHA512
2ff15e850bb627d840dd4f0082c3999c96aebd7db7b2f64678ed3ddde0f9cd0668c5cdba2aaab278003106b77a25a8274b9e46834944b2d73457a4d1b14243c4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
f088a5e61737a455b37006c069e46611

SHA1
5c6749300ebd4275a163db5837453ba2088e8c4e

SHA256
5789e846ed6e8646058cd5f7a1b61310680c33a03cdfdbac3b4227eb297abd98

SHA512
0f090ef97846ac0d1a0405a9912fe173cbb36a2342829843597eb0932c67bf3e22ef719e26abd9f7c0f6ae8b469bd92ac0af613402252881006c1cbd8ee3e2a5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
85ce211554ff1b9ecc83ad47c81ada32

SHA1
a63260291d2fd3eac3dd74ea9f66e7e98fc5fae7

SHA256
9f66035383e1a7b68130a717ef1dcd6d7b653108471c6da6e7f0ad1db7c079f2

SHA512
77cdf8b6d9fde623e57f814f85f203f5dc5f65e538131796666b0ce88190222b7f42007ca8c1848d45cefbacf9c1335e43f325de6c56587cbcab6fd625e8b3ce

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
4.1MB

MD5
66380cf1461847c840433156aa13d2f0

SHA1
8be4b2192e1721b2d6b47cf2c1f0bb5ddc19d826

SHA256
c9fb93ae17860e5832ef8aec3312e2d6613eeeabaab6868137d23f04efe337fa

SHA512
0e8ca68a46b3f9c12eb0903b0ea756c133dd33f25241fea55e44020daa60569e53bfd835ccbf46c618e55c27300542bbcc6ef043952319d1855ce1c3a8b5f95c

Download Submit