8430bbb01decbfffad41e6a785aa5fd69b6374e65edfaa9c13360b68a22ad053

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
Size

3.2MB
MD5

000ae7abf052ff1f57d4cf71f49c728d
SHA1

a0175daf9f82d87af0173652fad44fa6048b89dc
SHA256

8430bbb01decbfffad41e6a785aa5fd69b6374e65edfaa9c13360b68a22ad053
SHA512

b5fc104c3e9f4a82f73186639325028e48eb21dbf1a647b5e916911631f071b2d2340cb3cfd040d5711fa4eb1abc58cd28b49b91879a3f7f55abe1f99ecd5a2f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpAbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2292	locdevopti.exe
3068	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files5O\\xoptiec.exe"	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDM\\optixec.exe"	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe
2292	locdevopti.exe
3068	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2292	2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2292	2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2292	2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2292	2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 3068	2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 3068	2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 3068	2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 3068	2184	000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\000ae7abf052ff1f57d4cf71f49c728d_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2292
- C:\Files5O\xoptiec.exe
  C:\Files5O\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files5O\xoptiec.exe

Filesize
3.2MB

MD5
65e94076c06e19dcbc57ca8aec23dc8d

SHA1
5ed042bbc9e4d2cfa701a7ee11b15cef59895549

SHA256
6009c5442aaa6350cbd80b642d2027f18b7a4ef4a125471fe20a900414cd3b7f

SHA512
3f89e8fa9ba018f114dc24f3450e5564b3ab511b55bc85b85ea056d16353dd9619a3ace1cbcda9f8183fa6ffd04b685509b5f50e0415d20f53bfc32eab6bf84b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
98c0fa28739e9ca2f4a6cf8b39be2dba

SHA1
4c822faa67df81862cdd25fb17bc1c2a87831f80

SHA256
8012405733882b6027f50fa2e3e2d3d8baf4752cd7243ad5e050995b54260e4c

SHA512
bdf902a3ffce025aa78f77b5bf44b9794aa06c9c440ab06fd9e6ed6dd370fe54be4c3ebc2dd2a391a56e1215975b3c5557c8d4be9803fe32d4d4c0be8662c0d9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
43d923894d47412ad95845daef951271

SHA1
867420c9c054f4cd61a6eabccdd1d4a29cc26bc7

SHA256
50f9a4cdc7feb7ada022d79dbc27fd60f17e886acc94e8f23a37fbcb57f258fa

SHA512
6ecb4cf85f7d0f6ed3a506bbaee855dd6a5d24867d7df23b039ea73c9cab730269436c3b0dfa0b56da2e647650430302f6c22e36ff08e648c7d99dd078245aa1

Download Submit
C:\VidDM\optixec.exe

Filesize
3.2MB

MD5
684c1783517ebab71a1319f6c7e38457

SHA1
d10e3a541ad0c1cfce90b4c18dfaf485cb42eee1

SHA256
61867c5ae50bf8cce63b9246eed49d5f86671ccf91d87c9537e7c6fd512be174

SHA512
9bc9120508d7e79e111ea94d92f2fb9aea814455dccea7be24d860e2e049647ce02eaae13eeba4fd43242babe6b7267379e08e1afcaeb4355853efb2e4aebf13

Download Submit
C:\VidDM\optixec.exe

Filesize
3.2MB

MD5
7ca80c80f5bd4e3050b5e1ff942b2729

SHA1
e7e36d0d99b834a6b806fe87d159f89d99e0584a

SHA256
2dbb3f24ac5599b4e7c59ed9138aa2aa31fce4356fddf68aa06ace1ef99b2e1e

SHA512
3fc2e7c5fe1f92645944dce6866f2ce9f1b5d3a87c052f6afd680364556396c73ac53e5095400e11dbc0655158c406378856cdcd46b256c6bce959109c91565c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.2MB

MD5
c7303fdc7b302fd6d5dd252985b8985a

SHA1
f3e3fa804601e99599baffed64bd42281378d855

SHA256
9e2d2a208dc77cfd9ec13f18de8be108cac5c3f65f4806653f4618c10c8e2235

SHA512
22f9db0824f119f2a6ee6d688706d5b287831168464a6eb6d262b5ee854b245657023798186c9b8f7d4a30066fb61ba0ddcf720700164a10ae280a44c03d0b83

Download Submit