01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe
Size

3.6MB
MD5

9d7a505f5eb0b45468c105d1cde4edc0
SHA1

232cc15010e561a5278ddf0a8008ea1bb72379f5
SHA256

01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e
SHA512

9e13cb25b6d21d2b36baa869547524e9cc94f2b552b6803b36444341f1094379719e068600ba602536c5007c42368dd7a7a76501eda7c3ebe9bcc5ddca643c6f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8:sxX7QnxrloE5dpUp1bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
364	sysdevbod.exe
1400	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOH\\aoptisys.exe"	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8R\\dobdevec.exe"	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe
4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe
4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe
4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe
364	sysdevbod.exe
364	sysdevbod.exe
1400	aoptisys.exe
1400	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 364	4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe	85
PID 4616 wrote to memory of 364	4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe	85
PID 4616 wrote to memory of 364	4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe	85
PID 4616 wrote to memory of 1400	4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe	86
PID 4616 wrote to memory of 1400	4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe	86
PID 4616 wrote to memory of 1400	4616	01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01db6e4984ab929847de8daad5b3ccedf5b2571e1b9ef48a1e3550593431dd5e_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:364
- C:\FilesOH\aoptisys.exe
  C:\FilesOH\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesOH\aoptisys.exe

Filesize
15KB

MD5
10e6df3619bbbd1a2464d5000a56fbb5

SHA1
9080f324c059847c04fbc434d62d8ab2e06140a9

SHA256
e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

SHA512
9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

Download Submit
C:\FilesOH\aoptisys.exe

Filesize
3.6MB

MD5
fbc50f890cb5a31aa5d7d5ad52208e65

SHA1
045f1a8f944261fed53430d7c892e7523141c370

SHA256
c1a400ee0d8fa85b7306ce3f8c40be7bc0b389eb03bcf9fc5a4ee89c8966f7ca

SHA512
058ecc8b4a4e75f6b88e6cfe25fd56fb89d64ef9c2a82cbfc2ad7f9cf314b8a7d65f4e3690cca1a42d77bb0362d7e614a1548a5746fbf5bd3e32b8bdaf708acb

Download Submit
C:\KaVB8R\dobdevec.exe

Filesize
3.6MB

MD5
dc1ba40bf693e5c375384202a92b3f24

SHA1
b3a29334bc23a250a2a1b938bfa69ec609aa9e31

SHA256
38db73ce019646583ecb5815d592d5d97468e5155dca00c1d76cb0146889efdc

SHA512
63140620c87f0db4f4e52ed9ec17fa6d8cf59a555b1c02c9d5ba9a62ca886ed4f637049ab1794b9f2a87a25f81974e45418668261c6c46842b0edd84ae0f402a

Download Submit
C:\KaVB8R\dobdevec.exe

Filesize
13KB

MD5
642d5fd1c5d47e0cd3efc57772bc2053

SHA1
bc41dd3d35783afbd472e73a9f63190d7e166933

SHA256
354d593722f5c5af8706226640303ec107869e0842004e188841efc1b84c1798

SHA512
3c5ab6241a835ab0cffcf0d36944fcc6eb3aa2afc83dcda29790a9a82f9f14ae2423a853816bc47894042dbca59e25ab4eb432113fe9ed87505cd8093adefab9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
fa5fb7767c2d07c19bd3b697680f0fc5

SHA1
0ed227be570e06a782c6289bc35e3a90e2ad8cfc

SHA256
0c60b70960d7d075eb7124787d3631b0af1b07980f787f04c2e72670c0b3136f

SHA512
84bfd9974b483ecbac568fd4803c9b0cade277cea108ffd38a4dada0c4791f3742f73c25d38397999e5329d75c5e5c343a220c57706c617e5e729911b1728648

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
792cc3ac79c7635d2f3c1d9aad57bf84

SHA1
8fa624b7b2a4855252ed44f44066028b039d655d

SHA256
cf8277cfb5633b2d630a28a4b556cb7ff6016c35329b9b8a8197ae4271652b9f

SHA512
1484a96c81f5ba04620908596156d0bf0970e05d7929a59668b5737583495c4d6c34f7d9a39302c6c4c07c67cedf1691ecf8b6685eb5c5d6cc3a83ec22463abf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.6MB

MD5
3e22a90b583eaa1b9ff508a3b69f3359

SHA1
0624c1d96952fa33150042417cc42f98429d7b34

SHA256
10cd87a90c169f8bd08f62ba4bc82af18a31b406e9c3edf965e45f7979d664b5

SHA512
8035d44f50054a1808e1d84a262a28382ac9385a30b950c6ae98dbdc60f02d910d2a7d86d76ee9b45cd31bfd1c412af972244946172080ad2d9a4018dfb20bcc

Download Submit