27ea63244f117e7f6c4154e4f5d594de4a11418af431158abc63fdf4f1637255

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
Size

3.0MB
MD5

73958505ff0152f23a0cd73941c3e0d0
SHA1

abf7fa6de27db798cf54ef32625b51247de54cb0
SHA256

27ea63244f117e7f6c4154e4f5d594de4a11418af431158abc63fdf4f1637255
SHA512

3cfb8875855d779800f6544760e62ae77ca6dbba04d92c0134de49bda04562ff3268eff38fb8dfc3383aa85be0cc2eb6840c0acd801ba0ae564d011cca4c6c88
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bSqz8b6LNX:sxX7QnxrloE5dpUpFbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2032	sysaopti.exe
2344	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFM\\xoptisys.exe"	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidS0\\bodxloc.exe"	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe
2032	sysaopti.exe
2344	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2032	1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2032	1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2032	1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2032	1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2344	1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	29
PID 1992 wrote to memory of 2344	1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	29
PID 1992 wrote to memory of 2344	1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	29
PID 1992 wrote to memory of 2344	1992	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\FilesFM\xoptisys.exe
  C:\FilesFM\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesFM\xoptisys.exe

Filesize
3.0MB

MD5
230e381aeff4d21e9e21f1713cce7cb1

SHA1
b69c59c6755d286a7f7ed75ba0a8e7d470ca241d

SHA256
eaf4394f8b845a71a084059dc177d29f1c26812865e9284d2740dd83d0006390

SHA512
3a579cc0384721e0e532107c01cc0cef2e97a323426084e6e438181bcefb9ed1fa94c40dcb49899083fc3fb384226ece13a64c39b4b9c89836152bc6fa9bbb74

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
a19e12f415e3ac39ed80649c1134b78e

SHA1
7384f215aa9bc5c57317d0c3060d773c711c2ae0

SHA256
4b0b1324b4480a04c959dce9e1df68086586e30895ba3a2b435bda57e0fe113e

SHA512
eb67a6dc6430d62b6859e354d675992ddbd30798e38de671f19b673a192701a557abaa1a40007826032fa81bbf0a94f5c0c94225803c2153641a674d935db76f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
02f21068bcb1bca318c0fb7c983d87ae

SHA1
c123caf8cd8419f04107416e8bb5dc266aab77dd

SHA256
e09a72c0dc587cd0fb597844b26eede2d9057c0a9f59a5a5448c1ce258a93317

SHA512
4af37bc1c41f28ffcc4def3d71832ff9610727dd75f4b188477b6c8387a8bcff159506800f3b69fef18ea13537e14bf043ce043fb6b5f67efbef2c115021613d

Download Submit
C:\VidS0\bodxloc.exe

Filesize
3.0MB

MD5
e44010cab1f90d291ae92826a2675a5c

SHA1
5aec956d7ea738dce4800e933fb7fd1003db889f

SHA256
f78e3318eb1cf22faae3ff444e67d9e62c8ce809942dd935c42a78227787250d

SHA512
5b5d58770153999e28da5128ebeb6d9092237cfe45ed383db4732ef7b406de92fc24af8b1bf669f292b26a1a2085ce4a4bb03ef919cfd4b2025519722067184b

Download Submit
C:\VidS0\bodxloc.exe

Filesize
3.0MB

MD5
59b42a16a835c897dc31603129e1f83f

SHA1
00d8acdf5fde70b3f7563f76a3b5c6f5fac1253e

SHA256
6c0bea445020eddb53c4912d53569cf04a421702dfb4e24495e84328d8672602

SHA512
47efc92fb102df12eb9ea4222c5f96eb897df7d064adaf7e60d37ced8c4454afb4fb108065b703761018d27ec266a1e47b84ebbf4368ddab17352c2b9893b99a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.0MB

MD5
ab2a3e47d84dd5f6993a2fea700f02e5

SHA1
2c84a5b9cb79117535448544662cd26f80491604

SHA256
f7b0667d7d6ac76caa51e8f69bf5bed53712a1f19e8975c23148ac2587d61086

SHA512
c1b3cb0cb80e085893b5d560352abe24159f75c73cadcac4e621271030215ac6eb3b508e1581ad3581800129f1821c17ab228fdec14e98050e013e9c1676d7c1

Download Submit