27ea63244f117e7f6c4154e4f5d594de4a11418af431158abc63fdf4f1637255

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
Size

3.0MB
MD5

73958505ff0152f23a0cd73941c3e0d0
SHA1

abf7fa6de27db798cf54ef32625b51247de54cb0
SHA256

27ea63244f117e7f6c4154e4f5d594de4a11418af431158abc63fdf4f1637255
SHA512

3cfb8875855d779800f6544760e62ae77ca6dbba04d92c0134de49bda04562ff3268eff38fb8dfc3383aa85be0cc2eb6840c0acd801ba0ae564d011cca4c6c88
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bSqz8b6LNX:sxX7QnxrloE5dpUpFbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3792	locaopti.exe
752	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKF\\xdobec.exe"	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6Z\\optiasys.exe"	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe
3792	locaopti.exe
3792	locaopti.exe
752	xdobec.exe
752	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 3792	3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	98
PID 3464 wrote to memory of 3792	3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	98
PID 3464 wrote to memory of 3792	3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	98
PID 3464 wrote to memory of 752	3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	100
PID 3464 wrote to memory of 752	3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	100
PID 3464 wrote to memory of 752	3464	73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe	100

C:\Users\Admin\AppData\Local\Temp\73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\73958505ff0152f23a0cd73941c3e0d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3792
- C:\FilesKF\xdobec.exe
  C:\FilesKF\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKF\xdobec.exe

Filesize
3.0MB

MD5
fe6c65ff9e99e0f8cf45cb9f02f5b1ed

SHA1
1ede8262a9ddb2ae281224bca52053cf5e064032

SHA256
b1775405d329ae48308b7677ed2158ec8daa467af9a4fe7eac43389ac6955487

SHA512
566302d36663be85ea31040d092650d4b8ba7ade7a52688452f8f0edb47a2f4933cf329f739e19b2909dd300a33dce5171cf6f67045fca8efc5a1ed61928b634

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
4864be04ed7f265490e27fb483e5ee51

SHA1
fe94f8dec3f1ff2ceaee6f352028ab2e74e1bb58

SHA256
fec28f13619f89db0429cf2775900ec0a1b2e960d50e2aea2513bf9d5bd3c1cb

SHA512
f559a055b9661605f7f325b72ee6940c3287a78c51fe71a479a2338ff1d25ffdfcdef03ea3df7a6cfe6a4205956335e524e0e235e880957c4ffde88b6772f12b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
699cb022ff1c5016b3fcf94869d277b1

SHA1
044890daef3320c3552048daf9045b5495174505

SHA256
6c21d430292dc6336f6374ee4281106342ededd7b33fbb867ebdb6ae026ff11f

SHA512
b156e21c385768bf856d594fdb261329c611197164ed0dd1f643ed06e79b363f625cadb8df564b539f8c717c815f8a06c779da294baafb91ce45aa3d64822acb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.0MB

MD5
9f0e0d251f8c5913ddcede8d6664e167

SHA1
73c463d0d95fe8ec445a0747c0448d91ec8b5cdb

SHA256
5652c7c021e114cb6ca320f2920def38a87b469ccce75af8694f8171aa38ff43

SHA512
aa84c19b01685ae34f6c7867195ce4c8af23fd4ee438d66ce4d0fa4a5c3818502e14c8a0b917f1ad2c12542b1651a9ce3cfb5e65cf1d46552ac3213db48f6d20

Download Submit
C:\Vid6Z\optiasys.exe

Filesize
3.0MB

MD5
c97b8a487e47e0c246c7664a9fb033e6

SHA1
9db8b9b77b120d1077dffaa9e3ed3d79542381dd

SHA256
39d33dd31ce2559f84bf6befde1c004bff2c88dbe22f965cb07c65f31b9b717f

SHA512
252ae3dbdc93ef7431fbb767192effcee581af12435d4447b02f1326fde47a2401dc7a2af06e9e587a8a7adb4f772f95537737c703ab5901c8c2821533a97fa2

Download Submit
C:\Vid6Z\optiasys.exe

Filesize
3.0MB

MD5
ced2cd06b5152a58fc757ade7a6f541b

SHA1
e9ad267d3ce40ad2e4e355015e51804a7709901e

SHA256
6445b18f8b9bcbe1973fa89e83087e7f99be1399bfaf7cf925ed5d8ffe245935

SHA512
bd8d50ddb0214e87d732fa17809ec009b5616b00507c1c08684e0ba68ee6c4795a15f56a9094677a7f02b7d7ae9b6d5c92a808e1ff611de8ca57de064af750d3

Download Submit