b8593c7ab9d69fa724ca0c6498ee8900a2e7f25430669a5c3194eadebe795b5c

General

Target

7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
Size

4.1MB
MD5

7d2904bf315ecd17d3218f888b325d10
SHA1

91abbc79d24b79bf11fd05f46bcf3c11beb803fe
SHA256

b8593c7ab9d69fa724ca0c6498ee8900a2e7f25430669a5c3194eadebe795b5c
SHA512

41b170252445eb597647fc0d2e60e95f1f59223de8152303666c817a048302f8951789d4eeb9eb9b0edfcf75b6f712bf85d5f4ac94380948817b5c89e7253ec2
SSDEEP

98304:+R0pI/IQlUoMPdmpSpv4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm05n9klRKN41v

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe

Executes dropped EXE 2 IoCs

Processes:

AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exexoptisys.exe

pid process

3704 AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336 xoptisys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZE\\xoptisys.exe"	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPO\\optiaec.exe"	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

2232 ipconfig.exe
2860 NETSTAT.EXE

pid	process
2232	ipconfig.exe
2860	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exeAdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exexoptisys.exe

pid	process
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
4336	xoptisys.exe
4336	xoptisys.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NETSTAT.EXE

description pid process

Token: SeDebugPrivilege 2860 NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	2860	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exeAdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.execmd.execmd.exe

description	pid	process	target process
PID 4940 wrote to memory of 3704	4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
PID 4940 wrote to memory of 3704	4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
PID 4940 wrote to memory of 3704	4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
PID 4940 wrote to memory of 4336	4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	xoptisys.exe
PID 4940 wrote to memory of 4336	4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	xoptisys.exe
PID 4940 wrote to memory of 4336	4940	7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe	xoptisys.exe
PID 3704 wrote to memory of 3632	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 3632	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 3632	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 820	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 820	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 820	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 3588	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 3588	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 3588	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3632 wrote to memory of 2232	3632	cmd.exe	ipconfig.exe
PID 3632 wrote to memory of 2232	3632	cmd.exe	ipconfig.exe
PID 3632 wrote to memory of 2232	3632	cmd.exe	ipconfig.exe
PID 820 wrote to memory of 2860	820	cmd.exe	NETSTAT.EXE
PID 820 wrote to memory of 2860	820	cmd.exe	NETSTAT.EXE
PID 820 wrote to memory of 2860	820	cmd.exe	NETSTAT.EXE
PID 3704 wrote to memory of 2460	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 2460	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe
PID 3704 wrote to memory of 2460	3704	AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7d2904bf315ecd17d3218f888b325d10_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
4⤵
- Gathers network information
PID:2232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -a
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
3⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
3⤵
PID:2460

C:\SysDrvZE\xoptisys.exe
C:\SysDrvZE\xoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxPO\optiaec.exe
Filesize
4.1MB

MD5
42a1fa032fd44ec2053092887d208b73

SHA1
583bea1031d52c0b776443917a996ece8448bb64

SHA256
1d9b85498c07114076c52e32c3110c1adee4bf90a629640e6816fc2429e02530

SHA512
2a901fe7fb4a39ada5f59f81610e43e593acc1ea71ea184a2c6602eaca9f88b9beb6491018f644e248d0e4469b3cb4a6eb5682d42f75bac402120cdc46ef5462

Download Submit
C:\GalaxPO\optiaec.exe
Filesize
4.1MB

MD5
bf91e87a1f63582f7ac1c1bf65795d2b

SHA1
c55ea71821aea92aa2383c096ee8f5a3a9171952

SHA256
cbff2300e025feb932c4f5a930ce7274a205d47ec584584b574e8dc9fbd37eb4

SHA512
11ef57df9df66b41432ef19ea5690332420e3d9d09e32a6cc936db2576a2e81a2bac4b1d2ce2ab78e83fe3c698bee2ae821eea0ac99213cc93c36053eaf7621c

Download Submit
C:\SysDrvZE\xoptisys.exe
Filesize
4.1MB

MD5
896ca15e9921fa1a871d969ba8f86cbc

SHA1
5ac1639ac8511b08e54018c535539996dde27823

SHA256
42c0e458bc4413efff58f9999166ab165eec645720254c8a3e69bf1ed765ffb2

SHA512
38cf37f1bf5638d8a1898eae93ec2005fc05e6c8c9957189583203b09f38cf56175c0146f9b14c412ce8c58ab842b942eca9ea9bea0320e18d1ae93cecc28060

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
202B

MD5
7d254b318a234514d51e75ed3bfacf27

SHA1
71d44c0a7035c841854f1791e0562e1553bce34e

SHA256
736cf6d2e624e752f024b94ff64e21fb75da98c3402809db8c3038f411298a43

SHA512
4e3ae7c2e89cb8450817f5310222c9074c699b45a276239bba62632af8ac6d83a6152d4ade3ddcb14c2f6ed8cd4feca6725c58892425ad112ce9a31dd521f74c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
202B

MD5
18d30d3691d8708bb45ec264824c59af

SHA1
909b83a8aee482c8893851e34b7f2253f8c1c26a

SHA256
58268baca4816f94dc8c868f575678f4da3c499a6b4f6b65ae81ba766823b6b7

SHA512
e327d5dbc92d66ad5b0672091b6f9affe36d8a882d259b65e6089b054dc9d8a43942dc78d172bccac729088cd01bfd95c65a2a00c0494fad08cd379a9090d88c

Download Submit
C:\Users\Admin\grubb.list
Filesize
40KB

MD5
bf2650dd8e0e53a96c666056de207749

SHA1
861b0e8048b592d15309fa4ad83908cd6b7f09c4

SHA256
f8317d4fe1f340a0fa5c82da4f5dc877e0752792bede766da3d551dfa2d2bc89

SHA512
bd6f8f36c141a0b8e4a0404b08fa64319c164ae352427701745e2822f73d90d3f0951cdbfbae299bda4a072114bdf95d0e130a7dc0d29597a0be89f3cdcb29c0

Download Submit
C:\Users\AdminbGvvJgzgbXugsotmbSoixuyulzb]otju}ybYzgxz&Skt{bVxumxgsybYzgxz{vbecabod.exe
Filesize
4.1MB

MD5
580c300fc1abd63630ae0ac8b6a5595a

SHA1
c6c09bba865b13254def2d2ac4e5babfd4c08cae

SHA256
d8b0bd062adb81c4377685bf4c55f23776d117447b35c4359b8b606c5cf2ff96

SHA512
35c829485a23084426cba751007fb0f4db7128a605cc6c0689c9f0c290cca19b373179cd6b1a82c3fb8e9273982c5dd905041ab62d35092565fb8aeaaeecc9be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads