a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
Size

3.6MB
MD5

c99a41aad6eea5c335b3aca6f2043bd0
SHA1

adc73cdd61b451224c539816ac3fc6c83a948234
SHA256

a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589
SHA512

ef5e853d715c53dc9a4f40597c40bbc20bc81d71ec2b778afb56b67a244274a0f2d7821dd4dd5a16016e2ae6361a4055100032a80d7b28410cf7ee7e529580af
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2428	sysdevbod.exe
2316	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9P\\xoptiloc.exe"	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax63\\optidevsys.exe"	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe
2428	sysdevbod.exe
2316	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2428	2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2428	2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2428	2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2428	2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2316	2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2316	2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2316	2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2316	2200	a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1b8c5020d57a36014473fddf2cab0f305e90195a5fbcf1b29bdfb5d584c1589_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\SysDrv9P\xoptiloc.exe
  C:\SysDrv9P\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax63\optidevsys.exe

Filesize
2.2MB

MD5
75d60e22d9d1de56d4ed3c015feeaf0a

SHA1
862c240ebdc42f8dc1ec5a77b440dd5bd6a56a29

SHA256
1a09e3cc284de5af102a0f970b0c17025902338d59b259600aa1f8ee52cc33bf

SHA512
cced3f8c0d144babee7fce38fb769a93bc3841e0af430d3f333ef977801955ee25521346de89f2b2fcc7b9bf154ebef54818e9ee23c2303f3ac545caa6c86fab

Download Submit
C:\SysDrv9P\xoptiloc.exe

Filesize
3.6MB

MD5
8eae822dbb910247553fee91d5ed5ffe

SHA1
a852563dc44d30f891845c8d2f0b25cfbd931632

SHA256
8216b3c825238a983e7aed7233af7529044a88f1c4db6f6c2a3ed84bed08bd02

SHA512
48e59ab7b0dd2cb6a318f7c6cd121f99acf0a2c8167e6b68968e552a68460fb215a64b4a87ee159a5e39e037eda3f21d339ba24754eb935f07bdddf403249d70

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
69374f467ea9d61c6dc636fe1dfcaded

SHA1
e9ecc4b5019bc961e24d6f9570ab449bb92d9c2b

SHA256
4293a6e2e20bdc4419e07f02837dc0ab0834cf2fb18b347c9048c8e7e22e3aa6

SHA512
b9b20c6d4ebd0ffcc6f2645b213bdc6dd322d220a3e0a607b4de93f07c182eddfa3f4654a9257480bee4e4c37eecd46a73338de5d338dcd4238c428ce9913faf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
9f81ea816ab86ea81d54387e4d805b53

SHA1
57cb110cf26066ed550ca2203bc067c1d3bbe1c1

SHA256
21cd43c7ac589407e66c0e397c37322d869ca7a8079aac4d9ce120bd88083913

SHA512
7861bf4369fab30ba7aedc57682a31259da6cccabc9908c6556ca472a3df286935cf93b5169f34b7048dffa5382a497c3a64f1c6275cc1c3968803439d67b272

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.6MB

MD5
443a8dd6cf12dc0a9d600b738b9b652d

SHA1
6da26c4b2686e93526b07071434ff698396fa651

SHA256
486484925a6aba347afa312fb7290864a00157990c17e078946da746a53a5c4d

SHA512
d7f5915d846d84934fcc7d6950e9be73f5def0bd238a139fd99efd9bdeccc8a157fa6b4972994d28e46a75d87ca54f69ac678cfefd610355fc6e6f08c93a6ce4

Download Submit