7b5fe8b8a554962e2192aa01cfd0fcc32356727e426361261d5111f4aaa8a4fe

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 22:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe
Size

3.0MB
MD5

0dc6917727b9b0b3e1a70b5d46ffa2e0
SHA1

91f2e0dd39b025fedc413592e7a6b1bc16bffbad
SHA256

7b5fe8b8a554962e2192aa01cfd0fcc32356727e426361261d5111f4aaa8a4fe
SHA512

903a358de04859807deef9b11c1bc1474f01723aaad268f7263bd1c42ff13d86f80283f0498c9cbc68503e9501f2ea13d0ea6d87d689366d9a31dc137434e505
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8:sxX7QnxrloE5dpUpLbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2252	ecadob.exe
2148	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe
1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDW\\aoptiloc.exe"	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxG3\\optidevloc.exe"	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe
1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe
2252	ecadob.exe
2148	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2252	1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2252	1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2252	1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2252	1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2148	1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe	29
PID 1640 wrote to memory of 2148	1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe	29
PID 1640 wrote to memory of 2148	1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe	29
PID 1640 wrote to memory of 2148	1640	0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0dc6917727b9b0b3e1a70b5d46ffa2e0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\IntelprocDW\aoptiloc.exe
  C:\IntelprocDW\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxG3\optidevloc.exe

Filesize
3.0MB

MD5
542a8454709a8adaf5398c92fc88f263

SHA1
ca547ed8efd094d1988ee0f5462ca5c78b3bfec1

SHA256
e9f618fd6fbbb42c1aabec266d97d229f50447a1889c5cc2f9e208e0027b2912

SHA512
7e16fc610bad063254ff52a1435fdebf370ab79aa7b55334a3367fcb95ea9e8b3c5b583840222557a0106cc70b4967254e224b9344137082f17bb1e871ba5afc

Download Submit
C:\GalaxG3\optidevloc.exe

Filesize
3.0MB

MD5
923060b90a96b4684901c92783b04da6

SHA1
038e7ac3b9f91b466a42b89f55a89238547c1fa6

SHA256
d952ceb08079c8dd607632a0cab54c1472e7ab56215653f68232d2cbbe95d52c

SHA512
b79ab03e0b6e368d38c99892ebf67180df2186c94378890b3402369a1594b528118407f3f4f3e6e6978829aeb24a24d0ab5a7d2bc31e9ec8fbe41fc464a412d2

Download Submit
C:\IntelprocDW\aoptiloc.exe

Filesize
3.0MB

MD5
08bed3e8ffa4a1424f1ce2a05098b603

SHA1
542d1e15f31b5ffc8e18942d68dbd4d5ce617b9e

SHA256
fd5c7f2b84628858da15a50ebb1e24eaa2e3427e00ff63921505f6cf46f90719

SHA512
78ccc91f1348a7000a9d3c25b4d5b2550458e81acbccf107bf0b1563142e6a70362bae0ba25f4e428b90d47a01e1e31a36dd1d0262f85d314f9f5e037c1ec863

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
e88a9b2a31900b9edda1101301583056

SHA1
d2df7c7dbb9b3f5f7b679f49c36224f3718b116f

SHA256
b2b676227580757a9487958898cf00c965beb17ba5fca20418b32acf4700d42e

SHA512
2cf3b646128c6f1e0014c5fc5b93607448d0b4db45c7a8ac51d4e60b23cc296798b9a4d3792eff07a36d5102ebab2b080cd98482ac01d7f32c7efaaff2d5ba58

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
07d521d397bfd6b6befe61c462eed399

SHA1
a4755247c25b4155577b5e68dfa032bc1689addc

SHA256
e5ff907193eb8cfe97d9c42c91fccc65602439284272c3d6d56076cd4f3e21cf

SHA512
e25b0e0856340b2c9c9d4b1821fc026787763d35a6983335e0f648ab32cb89eb5bf5822cacb350fec7fbddaf49d692eac8c779094c59c148b01065653d65549c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.0MB

MD5
6cba10b1c3a2b2b372f9ffdd4785f8cd

SHA1
3a04e3d483a8e56e85ab8d1eeba03bfb306c33aa

SHA256
a9d8a6487746c72a4428c1be118abcb8b319e9bd833f7e3e96488303e86566e7

SHA512
78061631f44b5792d5da44d90a0b6db551fb29a18c9b2e18bbcf7bf64f4e5b52c297a3974ec69aef4b92fed9c6be00ffe6a4d2001b2d0c390028893b85e5fa66

Download Submit