c9b575c20989a7875e5d5e11a4f09bd7f28fd8d3a3120ee4d38c085553a3b8a8

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 09:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
Size

3.1MB
MD5

70503708e67e39244d617a40f0392970
SHA1

5de933680a4b0d26847400588a8388eea2ad7a37
SHA256

c9b575c20989a7875e5d5e11a4f09bd7f28fd8d3a3120ee4d38c085553a3b8a8
SHA512

d9f59f40e0fb2ebeb6ad0036fc74805fa69f405f021e5bd5d3995b393da244376e46135128330d0288bb105c2ccde0e672d88c530a2f48d73142f6c936fd650d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4876	sysdevbod.exe
3996	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHT\\devoptiec.exe"	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXB\\bodxloc.exe"	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe
4876	sysdevbod.exe
4876	sysdevbod.exe
3996	devoptiec.exe
3996	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4876	3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	91
PID 3672 wrote to memory of 4876	3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	91
PID 3672 wrote to memory of 4876	3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	91
PID 3672 wrote to memory of 3996	3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	92
PID 3672 wrote to memory of 3996	3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	92
PID 3672 wrote to memory of 3996	3672	70503708e67e39244d617a40f0392970_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\70503708e67e39244d617a40f0392970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\70503708e67e39244d617a40f0392970_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\SysDrvHT\devoptiec.exe
  C:\SysDrvHT\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4420 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvHT\devoptiec.exe

Filesize
3.1MB

MD5
450b5aa83f92c962140ee8147fd33336

SHA1
b6d188fdc3e3d79eeda0ad13d6d7bfcedd278667

SHA256
7931914d1b2739302fc7d6600ca59ad94766d5827657dbde35b5bc2dfcf00f30

SHA512
8381de27de764d84140229800d5ecafe838f8e73200048d5d6572c4d1733d1a4f044d137e05795f5b0b80459eb3592bc889371f7370ac06768db1ff42152c89b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
6970de7c656513a20032140997e7c0c3

SHA1
579c0d4062a6fc697648360f9c063060ab5f49f9

SHA256
64b2af3ea0a3fd5954b9502409cd97400c5bf096cefeeac40bc87b7b1b90911f

SHA512
cb2050f3a32514f0db2302b1fbcb32318a17d2a23f78f321c75d67e08b0c08733993bb40832ef5e295896d27746e2373dfeeaa4b783c1dc76c672a97a96317b8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
43d011b190daa1775820443c2848b7f9

SHA1
d0e82a08da04e63ee3299493b3c4974f30045110

SHA256
6aa642fc273b545409feaac148ebb84436a87910a727f62897c058ed18e20f30

SHA512
cd40f151413120229fa9abdc97388149350522b5ea0fce43c7fe68f7a18eff41f919ac66abac3378f482347e462d16a3769790b133273e60ce07ce843cb209c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.1MB

MD5
92fb49c2fd0f6054e5843438873b047b

SHA1
e68fb5534407e62b1fdb79e7bac7cdde0f669882

SHA256
a5b1a50e3181f8cfb808446e8c68350ea71563ffd8d251076134a1e06e8035b3

SHA512
d252cd1aeb4605f52b3fe03ed15df7b79657ef61818f70083c24c136295db9487780ba30f0ea3a2fd7d4e14f20f98ae4d573b15b538a04b90f992785b7b24838

Download Submit
C:\VidXB\bodxloc.exe

Filesize
2.2MB

MD5
fe62c68a58a3582373be5a9f161fc42f

SHA1
8593f0d7f14452d764a897f01543538b47340b0a

SHA256
8a3b70c82ea3c8412462d2b1ddeacc477e640e39c62cd49b611ac3c79e363de2

SHA512
2fe164582d948f98cfb13f07d972a6734ac4ee4785520862ec3037bfb2793c0287d29239ad143be7f64349d9d1d2656b2135d8335421aff8aebed87dc816c015

Download Submit
C:\VidXB\bodxloc.exe

Filesize
3.1MB

MD5
8dde280e56cb2a3129d8e1df7fd2448f

SHA1
c6c3e5ca0b80a8fe0906c31837301acea4d0dce5

SHA256
0842056a0c8d5cabf1d9a8885f30ad1b374c7ab3bba3c86d38794e13f9d4b206

SHA512
152a034d1ca1cb41f3d6d68df37b6000f4f17482220c48d50363d802d60269a01dba70051d1bd2a8c403d5853546c9512385dee0c46e2f3e33fa242e86b4cd18

Download Submit