71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe
Size

4.0MB
MD5

11cf42313de00399b26067c75ee0ff50
SHA1

550c4d8b51181088fe0cfe430c43274ad5441276
SHA256

71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23
SHA512

d442e5ec5ee523b1fbccec173d294d89413a438f0dc278a4fb69b9602cad30a91ac35ba842996c64678715a0f740506ffc738c98a6e0e015d5d5f6a7a485129f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4876	sysaopti.exe
2588	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv18\\devdobec.exe"	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ10\\optidevloc.exe"	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe
2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe
2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe
2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe
4876	sysaopti.exe
4876	sysaopti.exe
2588	devdobec.exe
2588	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4876	2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe	81
PID 2652 wrote to memory of 4876	2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe	81
PID 2652 wrote to memory of 4876	2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe	81
PID 2652 wrote to memory of 2588	2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe	82
PID 2652 wrote to memory of 2588	2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe	82
PID 2652 wrote to memory of 2588	2652	71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\71e037ab49454ed09db6a4abb92a8fbca328ea97036ed37358853ddc5aabcd23_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\SysDrv18\devdobec.exe
  C:\SysDrv18\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ10\optidevloc.exe

Filesize
2.4MB

MD5
b3d0cfb336fe5e898bcb43dc73987add

SHA1
95020cf708d4c6c9ae9e9e2f57155d1e182ec22a

SHA256
b09a0b0fbc285b42caeeb47de66eec86500329a3b1cc41b619c819f9f70d6a17

SHA512
6abbaaa40d610658052efe66ff61715ac5ac522949f1814becdd5efab69b9c77defc5ba7c1d9fd4b7a2bae327adff695ff88ee90c556fd75af540c676b43932e

Download Submit
C:\LabZ10\optidevloc.exe

Filesize
4.0MB

MD5
2829d752a53f21171a4ce0122da61e3b

SHA1
8fc18ed243cf08d11893218136db662dab9e8b6f

SHA256
07baa2d5678cb63312440054295ad03aec0c8e7a0da8ebac1c390842e40b1164

SHA512
f155f275e097528fd7bf533a18b1564a9a548647981d33f45155e057a0d74b76b689dcc2d2f61168f382edadab791eae48bcbb92c15dd00727eedde7e7346245

Download Submit
C:\SysDrv18\devdobec.exe

Filesize
4.0MB

MD5
2a068d7f37bd21448b40b594e46792e5

SHA1
ab7d7b784dbf642bbb8f0844be1223dc9b664304

SHA256
59640d82183fc126c69df52fe7418a58452609c407a328eb264bf1c762cd841c

SHA512
c4a611639643f8f37eabba7bc5a66ddbb67bae53cd73ad8589beb7e1590cb742b0686d981b03f5aa1354df834fafa040bcb429690f0338910d2efc2b2f04b255

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
5063ad0ee43c64f56a09795e79b3c178

SHA1
0725667d4987efe6cd81d76d55b1aaf75ee0d421

SHA256
303475c42d4b6426a96ee66ffbabe4f80bd250c5263f778708c41c96c9243611

SHA512
73394372244d644412cf3a3c267319635c6f86cc19f1a65eda5f8e459a71cd12b313d9058da1a3756d371dd65189b322d25a3b6f6edee3198d8aaa998335cd11

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
b9d3bbcbd3ee77b792d31199e75da05f

SHA1
bdb790b493239622a4eb43d73afbc0c6dee7f6c8

SHA256
b49da16c95a9b014d2962bab4ced26e07f3af1daa37dda38785c13e2e088a9f0

SHA512
68fe4629a45fcdd0baa07c8c1e7e0454720f3bcb6e45445ffb80fffc98e21f3ab0f9ac546d80e36c68703e24bfd08e60cd75049d20a9277ad402dde5204413b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
4.0MB

MD5
08c4e33c7dc09038ad826635e4694f9f

SHA1
311530a87e3056316ca5961a2a56ae2dbc274d26

SHA256
46367b1107d775754aedfe34386031453b9dec7934239a1c02113ebac3c9962a

SHA512
eaf6299e2ba66395f6a3e79b91a5add499c8228b39592f135152e356ce3f31be42f65819ff94d3d00657b5895dbcfa73c17bddd701027585cecad0eb8c08360c

Download Submit