04a10784b3027a3ba0fb91b386a9d4258651b19dee8cf425588c5d25230b219c

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
Size

3.6MB
MD5

33a9720f65196caf040dd104bd9a34d0
SHA1

26b48cc87165d484ee711491b9fb06ee2d9d65bc
SHA256

04a10784b3027a3ba0fb91b386a9d4258651b19dee8cf425588c5d25230b219c
SHA512

9154ca396a05731c7fd08a49e04c9efd64647e5f7702557a14e74e3139494180458305cf0180f57b1da97732252c063d826eea3438d84f95a803ba8663df1783
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8:sxX7QnxrloE5dpUpHbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4020	locxopti.exe
4860	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVX\\aoptisys.exe"	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintU5\\optiaec.exe"	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe
4020	locxopti.exe
4020	locxopti.exe
4860	aoptisys.exe
4860	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4020	880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	87
PID 880 wrote to memory of 4020	880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	87
PID 880 wrote to memory of 4020	880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	87
PID 880 wrote to memory of 4860	880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	91
PID 880 wrote to memory of 4860	880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	91
PID 880 wrote to memory of 4860	880	33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33a9720f65196caf040dd104bd9a34d0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\UserDotVX\aoptisys.exe
  C:\UserDotVX\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintU5\optiaec.exe

Filesize
3.6MB

MD5
5456bee178a101fbb8623a9740c2c603

SHA1
d5ebe36bc71cf5ad85c625afda0d1ce3aaf6f103

SHA256
3556b85d98792bb1fed9e7f1a08f584d21357e940a6cbea14676b58d89ede8f9

SHA512
ce905a9cc4c57665dafa431e72919bacf118aeec076163d7827f57cdfe17693fe00ca0eb9613368bd05a6b01efa0e37cf7ac3b9eef9df1806d2d6bdc05f32d0c

Download Submit
C:\MintU5\optiaec.exe

Filesize
3.6MB

MD5
6aec26370e48ea057268d658974d2dcd

SHA1
d564d565444573729135950c9653f613a1ce50d6

SHA256
9e4ebdbfbc9bf71b78b421b22c8b813adfbdb4b353e817e24ac59c533e7f04b3

SHA512
14982a8358c39dfc679090c5a3912daf3d2b5c0a57b5107d7b5227fbb9ca557f887f2e9adc0a2309c20f17d0b05c8d3619ee1bf43b177ea321643be603ffe8c9

Download Submit
C:\UserDotVX\aoptisys.exe

Filesize
3.6MB

MD5
9ca0e8582b9970edb00cd1c6d730adb4

SHA1
ce1942589a01e210f85ce65f81069b860e08befd

SHA256
c37f1784c1c25b23298c6cbbb13ea4aa36a57498a733f335f4a5dcda38c01342

SHA512
a9fb177f62ba04dcff4119467da4f0092d079647c521406736e3fad4b8dc33517a76f1e010f46c2aec9c9c67ba73fba18a7ed52f2acd94089bb1887c2df90c01

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
bc4d5161bb6eab42301cdde7000c0579

SHA1
b708d4639e9315b1c1be18f08169c3067e9baded

SHA256
8a40ad7a3286674e475b0a4df11be02bfd87626f40b2144ce2c8772429e5fef9

SHA512
0df197dd179005219fe4ce388d275ada965d1346b014c16927851fc02e59609d019b3d71e924f9c4527b0addf052a6bf494b45c5b6140b329c89eefa9781efa7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
124ddf3a796d54908fd718615d60e821

SHA1
326011ba97931c0bf37bb8220abe824cede4f22a

SHA256
9bb07ebe42195cdebbc1937d019df4c75fef76a7d4573bb81df95620ddaf1487

SHA512
c7ecd4bafe4ebd924bd7c81b7456eb6d3c32805c25d3304392f152510492f1edca215422f8574b84d504e4c8b5d392566d950e5ffb4fdc95e3bd411978c74406

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.6MB

MD5
63a1824c36da3ae36a2439bc1c3cf043

SHA1
3210090b03c0292c41f86619b8cda1122413d196

SHA256
15dd9081997b48f28a78c4beef8ff4d8e0f775610611a12836dda9953812d36a

SHA512
f6c0cf49dc70e7ec3dd87273f3aac59e446d9e0fb22a51946952f0bbd0a4601f6ec092d2f1d6fc1ac82e6cfb67384afb71f5d58991d0980532562df013f9cb8c

Download Submit