3aa288b56f4e5feb3cd6efff2ba6dd52089a0680346d2bc2876b979719f36754

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
Size

3.0MB
MD5

4c34d9f44a3a5cb6e258a51c4a1efa60
SHA1

5b9b00cdbcf3faa48e7d17475292e59070d6de28
SHA256

3aa288b56f4e5feb3cd6efff2ba6dd52089a0680346d2bc2876b979719f36754
SHA512

2c7424db0748526a570ee79aceaec4c7a97f8adc704c567a6d0a861358ea1c56db2b54880644721c9b74ec7276c50d8680f7aab9bb1d20ef66db8f6b8a941fad
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8b6LNX:sxX7QnxrloE5dpUpObVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3844	sysdevopti.exe
3592	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeV6\\aoptiloc.exe"	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ65\\optialoc.exe"	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe
3844	sysdevopti.exe
3844	sysdevopti.exe
3592	aoptiloc.exe
3592	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3844	1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	96
PID 1968 wrote to memory of 3844	1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	96
PID 1968 wrote to memory of 3844	1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	96
PID 1968 wrote to memory of 3592	1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	97
PID 1968 wrote to memory of 3592	1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	97
PID 1968 wrote to memory of 3592	1968	4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe	97

C:\Users\Admin\AppData\Local\Temp\4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c34d9f44a3a5cb6e258a51c4a1efa60_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\AdobeV6\aoptiloc.exe
  C:\AdobeV6\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeV6\aoptiloc.exe

Filesize
3.0MB

MD5
4401005079b5d568781ba3036bcb13fb

SHA1
ff818bcff46557b8a8571c31fa89e3cab499d383

SHA256
81e6c650c3471498152617db40ac63fe7d015750b7aef001bf176d1e616c1e3e

SHA512
113134a85e54f97f9477b4e2b4f856986fefb58a3606c636cdb91215733b31fd7add902282adf5a8d21834b55462a42ae329de8c2766f4481215c279e3d6daf9

Download Submit
C:\LabZ65\optialoc.exe

Filesize
3.0MB

MD5
edf33b16d9738446c3db0750b1b6b757

SHA1
3179fceb0abf564282741d246dbe54536ac60139

SHA256
4ca1d2fc92c0a2641ccde4393125bd77a0d244a48f6efa09dfb69ef993987086

SHA512
edc2da2b7ec2e284fd7befced11d81c644d3e0aded0435dd37a12477690137f98a8fb60668a2394b9eee26dc0d975b87ae9c4eed342a9b019b7558c5ca5355b5

Download Submit
C:\LabZ65\optialoc.exe

Filesize
3.0MB

MD5
75d877e1d10b846635dba633429ebcdc

SHA1
31ece7df18be1917e231cd1c0c4d1d4dbd9f0557

SHA256
cd300fad4d9541829c50245de98992f3b91378e8f1548145cd2d13e089aa4273

SHA512
476e769fe68dea8af756388d88576f8ad2ad6c4ab49cd58ea2c8075c0db8eaa1bbf38b955b968b58626a48c9c8e98a8665b66ddcf8b273d1a9b03348103e9eba

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
7354f08ac4cdd2d10db080476a2f8b20

SHA1
6d54850f6c98c406ef3f265aa5771f11ceb90759

SHA256
dc226e65b0dc37397673a2184d3fce79f834d58d32e0c6d8f7d54da7256bdda3

SHA512
5003f8697477047229737133106170ddbf05dbb9b79ee40926dfa1c182a2671d0fdb062dccbd075e77e71cf4fcb0646547a2895e042f31c370cd00a1d3c1c7b6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
f33bab3376250229dfac181a5fab1e2c

SHA1
80531fcb2ca957f369b799925fb1a62f2f912253

SHA256
8204b402197246735f3bba3b6ee2496b3148eb77c0f4bf736f30da3aded530f0

SHA512
975a8de29dd7882f6adcf35f01da765e16bae704bd48b36116d367cc0720ccbd598cc492a5fd564f0ab143880dc621b5bd98d6731972833592b2ad59331470cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
3.0MB

MD5
4ec6c66e9bdd45b4d0dd8fbae6c753fb

SHA1
c0082fa39185d22c724c1f638a9a4e325c22a1e3

SHA256
f9caa7849406448e75e5b599c7b487ddba696e926a51d83a2cdba45a32bf5982

SHA512
6a0962a8f5dd0324c62b6f576a7934f89b17b4c9b999f6603487b354bd37600e80b77c2ddc347ae3679862abba1b8caf979e40e735a7f33e5f77ce0050e5bcbc

Download Submit