c31a7a410821ca100cd4423b0f7bfd902a8a5187f03b6cdc280dd756fae91d64

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
Size

3.0MB
MD5

1bcbd66f4349105f78b4de34247b5520
SHA1

05aa16b1d80b3990b7a29ab203583ac9f8edf4ac
SHA256

c31a7a410821ca100cd4423b0f7bfd902a8a5187f03b6cdc280dd756fae91d64
SHA512

f5cfcc0a21b0b28a983519926e167e9032562aba67f56e8ff33e0eeb350473156427fd96ca962de09255b9e86bfd9cb2b6ca3b30e33d3d3f191fc4d888b4972e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4052	ecdevbod.exe
5032	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYO\\xoptiloc.exe"	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV9\\optiaec.exe"	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe
4052	ecdevbod.exe
4052	ecdevbod.exe
5032	xoptiloc.exe
5032	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 4052	1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	87
PID 1320 wrote to memory of 4052	1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	87
PID 1320 wrote to memory of 4052	1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	87
PID 1320 wrote to memory of 5032	1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	88
PID 1320 wrote to memory of 5032	1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	88
PID 1320 wrote to memory of 5032	1320	1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1bcbd66f4349105f78b4de34247b5520_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\UserDotYO\xoptiloc.exe
  C:\UserDotYO\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxV9\optiaec.exe

Filesize
1.3MB

MD5
ebedf5ca67587d0ed3c46c85fd1fc55a

SHA1
055bf708203423b3d3e99343424c1846349551ad

SHA256
b5f91d404a318bde8dc93a733bce2b934b6dd6643cd66d17845d2c7234b584e0

SHA512
7bc0b79f723a90b8ba90ca357d5a7db650d2ccb423e320dd02cf2bc5a45502a24d06d192efa2c832b093e7b72a2e31186f6b483bcf3bbb82559f4bbc80e227ce

Download Submit
C:\GalaxV9\optiaec.exe

Filesize
268KB

MD5
6d2cbd9804ab6b48bf5bc833043a49cd

SHA1
78607423e73fb66206fc719219adbeae849fe79b

SHA256
c3f98589755baa910660701ba5508907c963fd7bc46deb7e059ffe140ad00170

SHA512
ebb473a24b0578f093bf09882bfc90baba9d5c243d5bdd8120421ced4c0788cd3b3540a1f0656d8cbb671e30c6f93290b0b24caf83acd5472b3d6b62dcd51865

Download Submit
C:\UserDotYO\xoptiloc.exe

Filesize
3.0MB

MD5
67b01d56d2eed95ae061a44881c390f1

SHA1
41c42f888f4258786a53709899656119b2f1f38f

SHA256
ce8b2cc4dbfef046ecb1e46c42e4ba64340ad719c82cb68daf71c84a1aac72cb

SHA512
cf849f75d7f0e6f043e424fb48ac8f4fd99946bd6ecabfd8f655dbf1ac3e7fbf5a94820f0cda03b515733a80f51655fc35d1f16f19d451bd1670095cec9f85ad

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
1a4fcebd7a7079cd1994760e1ea7b070

SHA1
acf9bbd43c627c66b1e5371a56d8168a4f9b1a69

SHA256
aa58f04d86ef665b837e58f805ac59d9b757d7b177ea124dca82c1860ca2ac22

SHA512
da6b34144e8aaa64ae182498e87e3211f4139092402a6c35aae60cc8af2fc493489807eec7b265230a467f88658da45551735aa3daa28c0b67c31ac52a3865f1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
5bc4ad30ae067768b83ef3e812924be9

SHA1
0c8275e172f32bcbc5a8601bf6ac95dfc681b4a2

SHA256
856ece9415a1d7d4c9628d11db6b4b3167a7bd2ab8ba64d87d1ddfbcec0ba6ae

SHA512
1331ba4298d607210b4593fdacb6c580a556c9516597cf1c6ab2e45b3d7cc8e0ff9ab0f9c42c3ca8d80217fb055f42ef083e3384a770f0aa662a17aa5af92de8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.0MB

MD5
c63c06afdca69ff124eeba15c1b5081f

SHA1
6227414a5fd87f41c19c3ce09f015ccd5d7ac800

SHA256
c074234f38312c277aa4478cfe243fd23dbdf869f18cff7adbd2e86c8c0303b9

SHA512
276bacf944204c21fa8feb918ae62ba121172ac5e344053dc2d82b4f511221644b37988092d7310861c392c6dc1e970302235e9ff367ba78b3f4ae6286eae960

Download Submit