1c6d824532c5d4019aae702f7984955e1d4b7a6226bb665071e4325f3ac270cc

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 22:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
Size

2.7MB
MD5

06d7f90286133c1bbb1a0c5beba33590
SHA1

5b8ecb8ad9c0e67e4f9e7cf88351de36552711ab
SHA256

1c6d824532c5d4019aae702f7984955e1d4b7a6226bb665071e4325f3ac270cc
SHA512

8614f6c72df649b6f021b9995de4de492766980aea5aaa6ea0b766f85f6f734d4cd1954a9d20e834d99ae2ad944bdcf1076900bdf6b779d45be7728257f2855c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBh9w4Sx:+R0pI/IQlUoMPdmpSpB4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	locdevdob.exe
2672	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWD\\aoptisys.exe"	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBIJ\\optidevloc.exe"	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1472	ipconfig.exe
1252	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe
2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
3060	locdevdob.exe
2672	aoptisys.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	NETSTAT.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3060	2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe	28
PID 2296 wrote to memory of 3060	2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe	28
PID 2296 wrote to memory of 3060	2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe	28
PID 2296 wrote to memory of 3060	2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe	28
PID 2296 wrote to memory of 2672	2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe	29
PID 2296 wrote to memory of 2672	2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe	29
PID 2296 wrote to memory of 2672	2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe	29
PID 2296 wrote to memory of 2672	2296	06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe	29
PID 3060 wrote to memory of 1624	3060	locdevdob.exe	33
PID 3060 wrote to memory of 1624	3060	locdevdob.exe	33
PID 3060 wrote to memory of 1624	3060	locdevdob.exe	33
PID 3060 wrote to memory of 1624	3060	locdevdob.exe	33
PID 3060 wrote to memory of 1560	3060	locdevdob.exe	35
PID 3060 wrote to memory of 1560	3060	locdevdob.exe	35
PID 3060 wrote to memory of 1560	3060	locdevdob.exe	35
PID 3060 wrote to memory of 1560	3060	locdevdob.exe	35
PID 3060 wrote to memory of 2132	3060	locdevdob.exe	36
PID 3060 wrote to memory of 2132	3060	locdevdob.exe	36
PID 3060 wrote to memory of 2132	3060	locdevdob.exe	36
PID 3060 wrote to memory of 2132	3060	locdevdob.exe	36
PID 1624 wrote to memory of 1472	1624	cmd.exe	39
PID 1624 wrote to memory of 1472	1624	cmd.exe	39
PID 1624 wrote to memory of 1472	1624	cmd.exe	39
PID 1624 wrote to memory of 1472	1624	cmd.exe	39
PID 1560 wrote to memory of 1252	1560	cmd.exe	40
PID 1560 wrote to memory of 1252	1560	cmd.exe	40
PID 1560 wrote to memory of 1252	1560	cmd.exe	40
PID 1560 wrote to memory of 1252	1560	cmd.exe	40
PID 3060 wrote to memory of 1728	3060	locdevdob.exe	41
PID 3060 wrote to memory of 1728	3060	locdevdob.exe	41
PID 3060 wrote to memory of 1728	3060	locdevdob.exe	41
PID 3060 wrote to memory of 1728	3060	locdevdob.exe	41

C:\Users\Admin\AppData\Local\Temp\06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06d7f90286133c1bbb1a0c5beba33590_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:1728
- C:\SysDrvWD\aoptisys.exe
  C:\SysDrvWD\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBIJ\optidevloc.exe

Filesize
2.7MB

MD5
dc6b2db53df5357f96a3c819d83e2c1e

SHA1
50045e6d6d1cfd770c54fa8e104c470840acb811

SHA256
a0aee5ec111c77fe78dadc28ef07c3b5dcfa7e2af0e9406cdf0b4dd96929c79f

SHA512
dbc06a000e57dd9cf2165566a7cf54794be7cce3f997f4ec0af0787a0ce9a6055e11aba3d7a4c4fdf619755f2215b3a6af575a9e9de0c379ecd4961df9022b2e

Download Submit
C:\KaVBIJ\optidevloc.exe

Filesize
2.7MB

MD5
6b3bd6529b66521664e7e004da50a98c

SHA1
3b5971db2178a4c88980f294c989972a1a1209bb

SHA256
902cef75b9fe85c830b48a209c0fef1125801dc63239b3d1f7e3353d70a1becb

SHA512
c197881f9a4f3a4aaf09b005b3f411cc99c891086fd0c6ae42350abd225861f2c2ad04b586dc06e4d2085abb31116b858da7e433fe927e4e85c78fb21cf536b0

Download Submit
C:\SysDrvWD\aoptisys.exe

Filesize
2.7MB

MD5
40ecb971c6d2d7ea2d11bf01754b7c60

SHA1
da421772cc8deaca930f4774a001aa6bfda8cafc

SHA256
502051419918acace697e09ff2cdde213c13c0fd87232ba7e6eed537a35bf096

SHA512
b0f6116c1befd9913a4aa14dc017ab9b2ccee08b62c5100dd69c66db9057e372cc51b67dde14c6180f6f29dc071788c49e7821a59ee2a9d728617db506a21530

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
611f010b8a08852522826d055251a1cf

SHA1
290f89a6b1afd82969dc2ed34ae789a81d98a183

SHA256
f3f8be13886436b38c766c35a25140f3771cff493214682f0f28f1181fe6bb3d

SHA512
411149424e022bed60ffb27376789efab94cdddcef8d25aaf6826012898968082a8e300352362bb39262e86aa3f18658f23ef737a260a53f03e29c06b0eb892a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
dc2b48de8f37fd29b2d99871c7d10af1

SHA1
d0be1ddf0712aae3d160ecc0480dcfb5529560de

SHA256
cf51e1cafc88bde7aa17481f9e107b720beabbafefddb93f2f4b3c9256f12e88

SHA512
d9ed8f2c2222e3e5ff5cbd2f30a6da90a3edf57c0955626906d23a80f885f8220bd0435ee99f15cdc642711223b01fe33e3108c661dce514b298fe35c511604f

Download Submit
C:\Users\Admin\grubb.list

Filesize
262KB

MD5
5cc5c7eab0444b401d090babd8667c23

SHA1
afe42674970a1a2cba0edf0ba3108f01decc52fe

SHA256
cbb07bf5e84d7bc81ec805217cc179bfd5a1dfbcd9337c2a177fd7eda37d1992

SHA512
0409b373f4787d6d3ec1cd4e40f5dd106d8514ca207ae3be912405f4079bf5e81619ad93a51420daf7e141976067f9544cd3595c6efa9d7d61398bafcd9d8a3c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.7MB

MD5
5ede9fa1bcdd237ace6741d584104de4

SHA1
efcbd014c482b55f6adcf1c1d539ff841b1a73bf

SHA256
38b4e97cba42b5546bc2437270e0a242031cef10cff341e424c75440db9d7527

SHA512
169f0224d3c40faf73e806585fa574d1205ebbc26f9a2d495801f2ca8329b82b740301709140f2b8bc9e1856e1025445383d0d3598eabe0a0e3d617e6bb36e7f

Download Submit