4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
Size

3.0MB
MD5

aa3c13aef990e8df9ce2d2ff912533c0
SHA1

abbeec86b7bc6318ea1e5a373dd46edf5f993252
SHA256

4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752
SHA512

a137a8dca379e3d7a15817e88e5e10e176410fe1a04d040149c7f82b83fb25e4f14a933a44dd97d1d0bd8d7699a88d72585dc6f7c031e25e7624103005d79b61
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8:sxX7QnxrloE5dpUpcbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4852	sysdevopti.exe
3648	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvI6\\devbodsys.exe"	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWX\\boddevloc.exe"	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe
4852	sysdevopti.exe
4852	sysdevopti.exe
3648	devbodsys.exe
3648	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 4852	748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	86
PID 748 wrote to memory of 4852	748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	86
PID 748 wrote to memory of 4852	748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	86
PID 748 wrote to memory of 3648	748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	87
PID 748 wrote to memory of 3648	748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	87
PID 748 wrote to memory of 3648	748	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\SysDrvI6\devbodsys.exe
  C:\SysDrvI6\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintWX\boddevloc.exe

Filesize
240KB

MD5
ccd6a2945e542c4d7a6d8b95b0b225b3

SHA1
67e901760d8388b8ee4cf909a562dabc8ec4a255

SHA256
ae4d82df2e7f2bef727789d511319b235611c3101059828aa64d192b6dd58b05

SHA512
5f7e5a26dd9e3b12d3532868f0513bc59ffb1a382cec5172cb068ced77bdd6549c3427ea5361a544fbf81f800f719355b90dabd106a5c081267ba14e13ecd729

Download Submit
C:\MintWX\boddevloc.exe

Filesize
1.3MB

MD5
f959f6e93a57f5cc9d72e046c87087c5

SHA1
a7aead5a1962258fbfab1690eb1407b55ab7e176

SHA256
1b86e0e3eed189ac0e05e70eeeddfd00dc13b8c464b636248e68fe0a7e60a685

SHA512
3f761a8a63894c0ba0f4eebc1ed4fedb5125ee8afc33626b5b5511f8e4fb2af9af64e058f18eeeb034c0cab210ca46a051b748dc0bc63eec82baae68662b9421

Download Submit
C:\SysDrvI6\devbodsys.exe

Filesize
768KB

MD5
abc997d5ff79c2b3f8030103ac1a9b4b

SHA1
1c6c7705fd1dfa8bc330b4ece0b5b2cef39ffe7d

SHA256
57a9a3fe43aecefd9ed9f66d3e3b620465a7896f8a5af84f239146a9f1c5043e

SHA512
d073869b3d6e81e07e6b5470a02e335074ee3443a9044d5c516c4499fa8c75a12424cc42a245a06ad2d8dac0a25665323aa9eb1fd253dbfc97613ca2a442717e

Download Submit
C:\SysDrvI6\devbodsys.exe

Filesize
3.0MB

MD5
d5853f33a15c043ad49bd9183cc4093b

SHA1
cffdab5e8979ea386042aeaf8f8563087db61d71

SHA256
932257000fb1cf6dff1636f268f86fb61c9c1a8da0d5b80994854681e79ba845

SHA512
bdd5851390bbfbe121025bc752c71c3467130addf301166dd717348f1eebeffb42088c4b0c3973fbc425d3ccc1a0749810190376e26b59a161d38f3ad1e703a4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
471e0833dc268ccce68f19f84d9402cf

SHA1
54ec2b79a7b13f258e82eee5515678aa9ad7fb64

SHA256
4cb9a0c88fe5cf4a800bf74f7b4a3b3672042bcedc8b70ccf90a965d0e95d78f

SHA512
29af30745373aabf9fb067c799856ccb61e44e11af37f8b15f0fe1411a2bb9fd71f087ebd97d97b57f8602b347a9fddd87cc230a44d6c61f7ed7dd46d1f921e6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
21039c2411e293e70ba6583401450850

SHA1
3aeda479913e0a70fe8559513cae22a213a52f72

SHA256
d4b4aff9347364c84f3fec51f3b877641887e8da969b8bbfc4e2cbf9eb301ead

SHA512
98e6d297788b04bb8cd3191122ab8a2827c4e7ec42b5371b654192fff24c93883a8bca406069c2a9885b166d08c039c114bd26fb5c1befac1709eb2665ca1a89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.0MB

MD5
85636580a141e8e06e87ec391043c964

SHA1
c91a6d41240454c1f83b4dd17374bb10fe5b97f5

SHA256
de16b6e7fdf118daeb37e6c6c88bf82880c1e9fff5951e6c1502dc72514f0269

SHA512
226ad223c093ebdf9cc437fa477f69df756e26b952615e2d7e0ca590293caf5c95688163b9063356371be9e6429969a1fa8c985181c4a5175bda5293ae1149ff

Download Submit