3d4286899570d32244d6bca704956c6f940b0c26926d4c3d668ec2ac4035d273

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 00:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe
Size

3.2MB
MD5

29108100c28134f043b4c3b72243de30
SHA1

0080f93c5f6422bee26dbfe188cc1aa32742a3de
SHA256

3d4286899570d32244d6bca704956c6f940b0c26926d4c3d668ec2ac4035d273
SHA512

cf3ac2a05921e13663388da350f44f85ebcda571890df1526e2154fabf16315bf523d33eca85ccba5bf3205b56770c1220f5ae5b5c9a74f83d8555c2802f60ef
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpKbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1020	sysxopti.exe
432	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJY\\devoptiec.exe"	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidD2\\dobdevec.exe"	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe
2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe
2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe
2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe
1020	sysxopti.exe
1020	sysxopti.exe
432	devoptiec.exe
432	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1020	2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe	92
PID 2440 wrote to memory of 1020	2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe	92
PID 2440 wrote to memory of 1020	2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe	92
PID 2440 wrote to memory of 432	2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe	93
PID 2440 wrote to memory of 432	2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe	93
PID 2440 wrote to memory of 432	2440	29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\29108100c28134f043b4c3b72243de30_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- C:\IntelprocJY\devoptiec.exe
  C:\IntelprocJY\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:8
1⤵
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJY\devoptiec.exe

Filesize
3.2MB

MD5
091c20d00701893397c08b9fc621a980

SHA1
578333ebdf6d304b91cd43a182ea40cde468f1e1

SHA256
b7574bb575cf380392cf2d3c733cb7876ed39c9b3b11b667c683ef9f936b87eb

SHA512
aa6b679e28f6dc0b63b2684fc358ab6d0799b68c0f38bd6841f4a07b137221a39ed35279cb4d517cb720a0a82c4cc0879fe9211736ad41df05a8f59060cf077c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
9cfb1b80b155924b27843a4678ab64f1

SHA1
7de12684d8139a1679089613f487d09e0bc339b6

SHA256
11cb2f3533e484eb856fa727086ec00ea45500f669ed2ecd53f01d25bd7cad7c

SHA512
0e57f88502da1501bf4ed511f19eaa8e28da7e9e948a961171ca437165f03fbebf96c64567c1c4f294f794c2b3b631c7abd816ba9ffcde2b4d8e49aa93a37b05

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
5b512c03ecbe00d7ab295e54c7566b44

SHA1
8d04e560bed4f009537dc77f33b15f252b831bf2

SHA256
e4e95f68c903a9d7a27ccc582dd5a26bc554dd3cda93b698a36aa2d936146527

SHA512
cb3c348d5279e0bee955fd9dbf75296a832ecbf383fc6e418dde38323377150d0fae955f61039549acf8bf2ef58140e2f618491826fd3ac28a6104c97c69cb0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
3.2MB

MD5
4b77178123b0eea99656ef034c466365

SHA1
b5e94c56ca800d0592d961ffdb9de30c6a11d8b8

SHA256
8e0b954a3e44aa7204db4feaf4616a209d744232695261356c24eafbef328c9e

SHA512
7638c841fd09c6bcd0d57a97023da9cfe6f4abd73b059828670a8d7a54d37498bc3073df5f50732a3e505fc8900aa78c95b09b7bbde57ac9fc6823fdbcd69b65

Download Submit
C:\VidD2\dobdevec.exe

Filesize
3.2MB

MD5
7b4aea49163856f373f7c7899fc1e185

SHA1
01c26145fcfdc565399c6257fc271b2ea53376cf

SHA256
5de7000c87807f5097e74711f25d2a40376a946bdb44003218b32cbb5836f7c0

SHA512
93b5bdabb49f1c302bc78561595dd0c24be3f7a803016299bf2d249ac35a92b67cfe196917257fffa55d1e597b90b50e39611980e537a2b47908657809b15e93

Download Submit
C:\VidD2\dobdevec.exe

Filesize
3.2MB

MD5
9dda01acd47b5658b7e2858d51f97cd5

SHA1
feddfe7a61c422f2db4121156cf82b3670fc7be1

SHA256
bd0802176bef816ffbdf62c95f71dbea658743a6139de25e4e9ce5d88b98daf4

SHA512
6ce401d6e1bfd5b386232626a2e4bf750dd90f973b181534faac033612a0e8c095e0a66181df6bd72708052d6ecc9493c7f2b33b2324d710e6e12ecf47dfb1ac

Download Submit