4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe
Size

3.1MB
MD5

ed31a3f6322e8bbfba543cafa267b190
SHA1

9c8ba3ddf6ac657a2aca74e168dd00f86210a52c
SHA256

4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c
SHA512

b2866d33bab2ace12d3971aa5426f820e5751cfc1d011519bce041cd2e2dedea1b219891dafefd76cbfeac2bc82111b3e2aa3d301834f1ce50cec62241827a8d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp8bVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3048	sysdevbod.exe
1644	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe
2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8Y\\devdobloc.exe"	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidD6\\optixsys.exe"	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe
2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe
3048	sysdevbod.exe
1644	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3048	2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe	28
PID 2176 wrote to memory of 3048	2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe	28
PID 2176 wrote to memory of 3048	2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe	28
PID 2176 wrote to memory of 3048	2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe	28
PID 2176 wrote to memory of 1644	2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe	29
PID 2176 wrote to memory of 1644	2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe	29
PID 2176 wrote to memory of 1644	2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe	29
PID 2176 wrote to memory of 1644	2176	4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4d2ddf7c812fcc60a764e8a76f8042da17cec7f4bf3177f54026d113e7194f1c_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Adobe8Y\devdobloc.exe
  C:\Adobe8Y\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe8Y\devdobloc.exe

Filesize
3.1MB

MD5
e3fe35cb6f743929b74d4eb72c45867f

SHA1
3ffb585bb1ae2230b92b69bc66fd6d945ed9c51a

SHA256
ec75ca8de674fdc6fb47631415ac0e5b50967d98f86f5600720e16b32012acce

SHA512
ebe37e4fb3557327278db9ff6e57ed39a6afae59973948640241f36f0f2bba24bba1e5ec734b102707fcc99a070956eac395b356a45130debb4cd3300fa14703

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
6daf83f25efaa9be05bb339f3156fc62

SHA1
d7b0daad28624736e39678671049c360a99c4357

SHA256
323cc85edb9425187c85e16652d119952018dbbd91cb3556336dd58d92de2df4

SHA512
f1eaaab05799f80ef3ae899c9a730f9b9a7289c25168c8d76c7d940a2c7391ca446b18bac9fe0f668ede4f7b712f818d657a859ee35cfbf00982ceb750b06149

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
0e996494e74999c8366dd9a055304cd2

SHA1
db62bc1b1223a06bcc561f5fa981486114cfe826

SHA256
3d53efee0f22eacf67c825fe0059d176fc746c26a14ab47aab3356a77d053dfa

SHA512
feac4dadb42754ac11edca5519e6c15c50ebe4a9b3b10f4e3794bf982df315a66eb27e51c21867fa435ec7cea150393dd2a1b6f4ffa5e0b48316e7cd4c3f9b9e

Download Submit
C:\VidD6\optixsys.exe

Filesize
3.1MB

MD5
ec2883b43ee7923a8db57e3ac40f6316

SHA1
4c3297679ba1ec23c1ec924f275f4824b02175e8

SHA256
ae4f43737519cd6e34d61af602de54a8098a556815250e3009d627047d60a33b

SHA512
daba284d3fb2894858d2cde42049b711b69472d9456c45b60af2bbfec2c173d2b66b94d1b8b97e00399474ea190a9cfff79c7d82ef275581aa8ec833e52064b9

Download Submit
C:\VidD6\optixsys.exe

Filesize
3.1MB

MD5
2a54b1675d87244b6d989de75538282d

SHA1
73e7672b54efc5419b90d11c2c9bf5dc48bfa022

SHA256
02e9e5d08943b1d1a9b0e5e51fa52d2726902d7da64c368c7c6c6aeee631f1f0

SHA512
f7f2533e0e64b885222f5fede9c9e7bb5180a03a2a1c3a8c2c99079167ebe1fb85d85f53412a6e98f3ff1e60ad1067412dd5dcfc43f07bf565fee8dae683c58b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.1MB

MD5
cfa90ef3f97b548197671a4629762674

SHA1
942453663d89d8606261664975ec34bc3a180840

SHA256
221eeb168eb103d42b02b8d345a7590cb5728fa9f5e803650ad5bb1c3a38db2b

SHA512
bd36b481a3f5950e2dcdca8e45af2cc811de2f842677c1b7852cb04c64935ba6712e21d198d11f9ecb88fd8c0d6290b5bfe4b7320372583a7b74c66bd643c5db

Download Submit