f6835a64ad16b132838d6d01ae750aef33b5bebdf2d5a19265fa5347e1153609

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
Size

3.9MB
MD5

579e2f65cf33f76a1b355d21aa8147ff
SHA1

ab4fd4314a2ccdd74fb3f05e37c0fa61bcf13081
SHA256

f6835a64ad16b132838d6d01ae750aef33b5bebdf2d5a19265fa5347e1153609
SHA512

9febf2abf1947f1c1691eb0eca3061132f25601e407c3d11fa7b5ea3c951831c95be167bd6acbc9fea7cc24fc00f2338f71fb78b94b2e7af6f921ccb9242c185
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8:sxX7QnxrloE5dpUpvbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4968	ecdevopti.exe
3460	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7H\\xoptisys.exe"	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7B\\bodxloc.exe"	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe
4968	ecdevopti.exe
4968	ecdevopti.exe
3460	xoptisys.exe
3460	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4968	3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	88
PID 3948 wrote to memory of 4968	3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	88
PID 3948 wrote to memory of 4968	3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	88
PID 3948 wrote to memory of 3460	3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	91
PID 3948 wrote to memory of 3460	3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	91
PID 3948 wrote to memory of 3460	3948	579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\579e2f65cf33f76a1b355d21aa8147ff_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Adobe7H\xoptisys.exe
  C:\Adobe7H\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7H\xoptisys.exe

Filesize
3.9MB

MD5
8865c537b43c4ac5c0938fd5f9f56ce4

SHA1
1e4889bd0957ce024d6b755228b1502646b33f5c

SHA256
4722d511716591ce69c09adece746645f077d5febf51abf20d22581b68800710

SHA512
dd3100d7e7cd2556aa1b84bf6e1246e2e69f48bda63b9f8482dae4ffc8769915799af2a4b85a33871df05bf7dd552ff8fa03238602e73fecc241e6192f7d64a9

Download Submit
C:\Galax7B\bodxloc.exe

Filesize
2.3MB

MD5
11af832108be91aa515d2b4b62ebd27a

SHA1
5854572cef0866445a1c758411bc97abcdf541b5

SHA256
5209ecd626fb226591c19e667b57e2f07c32dd580eb3b0495f52524ba40d65a8

SHA512
182d7016b17bf8f64f740093bf85b0ac22b6cb90268a1deac2d4acba7636a37a571a041785b15dd99d496abe405e03fe3451a357afe492f70ae698e7ab2c54f8

Download Submit
C:\Galax7B\bodxloc.exe

Filesize
3.9MB

MD5
dfa3eefed735b52cf01223d942abffee

SHA1
d3f0ee415b15b96e207092c5383ba9d87d263e18

SHA256
e68dab5e485de5bba65e49b04881888f5bc9a37fec81126531983f6eb416e735

SHA512
d72d0a0bc35e1f73d04fd7bbe243825b25d86f5f456fdada06d530619796dc118f3ce60dfffb68f89d03a2b38c54ba85383fc0c04be97d1da19bc39557c9c353

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b7d4e789dbe8aaff0e22005232d66884

SHA1
561bb99b8bf60cd817be81e70a1514013689ff99

SHA256
c7f42ff3fade416c4e09e9cdebf5138afb6512685c9b752d71f535446d8d5eb9

SHA512
9772d0d833083c9f49d10d230410304c5e2cc1c361d08d88fe665d101dc041a8ae5b7a388fe62086ff833a6ad91f22ebd3d616e985b3b96f7705ec292c1f2943

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
ffaa8f5b267d209a4b61366b458b0679

SHA1
7f9effe04f4a1de5f0aae4ef4659ae94d7bf9264

SHA256
2d43757e34c4cc2f430a8e4d5c4b3109a2b226d49086e751cbcacf0cbec4cd56

SHA512
8ec34760f695bfd5effabade3d4d982c98fa556379f058d1590b7dafbfae5f0fef4cc33e421928739582a603855a350b6fc71fe2df5e50df1a8c630fb0eb8213

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.9MB

MD5
1d4dd9b9e1db943a7879f1eaebd106df

SHA1
9113a95b77b4b3086b2506f22ad5dcaa2a759039

SHA256
688a1ef04c87e218f7500d78eb72dacf190f501ac823ca09c560345e14d36fa0

SHA512
14504d969023239d50f1b1cf35a9e092a37435aa14635a5394fc4d247be3225c81344abe3652c5818b20b8029b7358387ae61dcce479870320d0fb307a854885

Download Submit