f69f230a17ecc712519d2b1775f97e9339b30afcc57795a8bbc2f22c2f15d9d1

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
Size

3.6MB
MD5

31df1c167c9e07e99f085b6bcfe5f5c0
SHA1

16d4c36a2e9881d88bd71e56031e15e676aeb365
SHA256

f69f230a17ecc712519d2b1775f97e9339b30afcc57795a8bbc2f22c2f15d9d1
SHA512

dc6c4c5f42b4e43de28b8fc690371a96342d1fb5aed3ec329d9db033bdafc3b1f9d0acf7bc184c5b8a0d9425bf2cd7669cfb114b4e55c971628f8fdf76dc0bdf
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpfbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2348	locaopti.exe
2756	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYN\\aoptiloc.exe"	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKG\\boddevloc.exe"	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe
2348	locaopti.exe
2756	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2348	1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2348	1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2348	1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2348	1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2756	1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	29
PID 1936 wrote to memory of 2756	1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	29
PID 1936 wrote to memory of 2756	1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	29
PID 1936 wrote to memory of 2756	1936	31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31df1c167c9e07e99f085b6bcfe5f5c0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\AdobeYN\aoptiloc.exe
  C:\AdobeYN\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeYN\aoptiloc.exe

Filesize
3.6MB

MD5
bc90ff4e98ee25d8c8106f19ab669281

SHA1
95295569309753fa589500f6b373a2eadf14ae50

SHA256
6d7ba81f19bf9717527bf7de5fd98d7104b8c23353f9b2e4febbcf627f16f066

SHA512
e5e2b2794ce4c2e6ba8addf7402542ced3c3c39ce57a7b3c80d052b308916197c03c95a239c7fbc5af5c64d77b627256223feda194a1c524ed942f14eeeadbe4

Download Submit
C:\MintKG\boddevloc.exe

Filesize
3.6MB

MD5
45ed10810d5469285199dd06d141a864

SHA1
ccef84b1f554943529e7fcf5e27c6baf114e3752

SHA256
d2af6f1de5921a44aa22dee12ed20be62b82ac1bf99a87e345fda1f1459b8e20

SHA512
543ea9740bf4db2a4ce070cb8d9bed770bd14b8570c29b9a5e8eedb26a898f407e6d83546ff75e7cb7bce6c1db4173514078674fdd8648edff72e857b266b8b7

Download Submit
C:\MintKG\boddevloc.exe

Filesize
3.6MB

MD5
fae8babc55b68ef9fae071e057662ecf

SHA1
b8dc38cd7692422cd39771f7bf342972384c38f1

SHA256
b06764de056158c6e275a64a742b6755c0f8411358e3e7111bef475e8879b95a

SHA512
d92c3ebbb78e61895335392175419a5348cadd4d2ae482cb4e537fd60ed8e4a164a8ef3d58e474f6e63ff7237df834a9353e1daa10ec70d9c5ac65a3fa007d68

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
b7a6fb4d87619ee60f2c258d621076da

SHA1
d248a2f9dbb505cd32526712839217197ff37f6d

SHA256
fa6e4c3ab616d5c62eb9b4287e013b913ac7df9c98b2ec3a5f8afd6c7cfbc5c6

SHA512
fba89216b0ddd8f87242a26eb8c00bec7ba808db23a45047cbb38a0fa75f8fe080a9411beddbb9d65416d420aec3e04dce7aa742a2776cdd3736a689ef6c9c2a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
dd4a1a2aed04f2c6bd6670302b6752e4

SHA1
ca7555259420333e431b34ef1a1e4a68a4f0b8f7

SHA256
ec38c4b61645319a4e45f05ef1964c5bfddfac58bf86f3008698c2dbe3f08859

SHA512
23fe476b7717fe4dd4e566434de3292b214a2b18f49c62114950baadb77769a6f6ea671e45f1d1e6fa747dcca8a00cb1642b527d82ccbc36767e1b3b29380977

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.6MB

MD5
ad5f219bdf00b3bfbaeff4b89a803b58

SHA1
f2246b80be401f73aa4a2ff5eaea6ca7e6c89c14

SHA256
2820fc9b012181a6bb4bfa4740d00fbd07df2797b6c657a697c72aa6ea91de77

SHA512
0e1b6f52167f4898698cf9d08cac3d6c996f109e71ed9a34fc9e5a19da7b212c302cecd18e0cfe7a1b415f2cf1d0b9d86ddf15b4046b70d9543465c7eeaaed5b

Download Submit