505a9e5c018d0eea8e3accee02d3a42aaa3dc2e1a6331676315fc77eebb65ca7

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
Size

3.0MB
MD5

094bd4e3883f7bf38f0d2463bd7d1900
SHA1

233f342e7a338812e8e4346e8e036d44380c3986
SHA256

505a9e5c018d0eea8e3accee02d3a42aaa3dc2e1a6331676315fc77eebb65ca7
SHA512

94792912738684be2bddd092ed2e15d8b42f8d173ef1b6d6c19fb512fef3217c77aae1a0b59c4d4fc0852990797982a0ce922ffff809f66a1b6294c054e5cbc3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8b6LNX:sxX7QnxrloE5dpUpHbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4916	ecdevopti.exe
4500	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTD\\aoptisys.exe"	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUV\\bodasys.exe"	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe
4916	ecdevopti.exe
4916	ecdevopti.exe
4500	aoptisys.exe
4500	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 4916	3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	88
PID 3472 wrote to memory of 4916	3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	88
PID 3472 wrote to memory of 4916	3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	88
PID 3472 wrote to memory of 4500	3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	91
PID 3472 wrote to memory of 4500	3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	91
PID 3472 wrote to memory of 4500	3472	094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\094bd4e3883f7bf38f0d2463bd7d1900_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\SysDrvTD\aoptisys.exe
  C:\SysDrvTD\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBUV\bodasys.exe

Filesize
3.0MB

MD5
8552b8947cf3c01ddfb01d983032534c

SHA1
9728024d3329274aa423342122fa5244d88419a6

SHA256
f8437e75415cdf10ef7573635b48ef0c8506454e6a745adc6a4a0e9aa7059235

SHA512
49577d6a22b24168e04acdeb3e9fe65d8fc43680e2dcfaada529ec1f390ecbcc20208da3a1afa7462cba7acc1535d2d02091da5ad36aabff3f481b66e1380294

Download Submit
C:\KaVBUV\bodasys.exe

Filesize
3.0MB

MD5
c5bddca334d95f367a4b417d07749eb4

SHA1
ce4a710160173c5c731969c8a97046558391a22a

SHA256
dd19686ea9598481d20eb566fb8c8ecb4df976e42c8812f58b1583228c431227

SHA512
5e62f29d7669d14b2356b493deee2dea340af8f30590c24da3a5b5f774dd58c6c6e15c51592dee9ccf5db212d3982ee23489dbfb90c328324f3a301d0fa92dd6

Download Submit
C:\SysDrvTD\aoptisys.exe

Filesize
3.0MB

MD5
050e944b278ca923f5cfbd65d3b703ca

SHA1
4e5c2eb23f87c0b3045ec7b3b161115113b6c8d6

SHA256
4c4ed58d3e071641f5c22a850c4001dd743841955d763ca3ff95d0c4c971da9a

SHA512
e818d117b91c811b0365c78f8e27317dde8dc4aba5893bee0808eb2ee58a1b0cf0187ec878398f384c31ddc2d8c1e6b49bdac336af7c6b3e7410a368b90cf192

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
c23715d97bc0c350315b989f494217b8

SHA1
cb9c8c107b2f3430a24a065b1a9061e929a18597

SHA256
91c0de22dbb8ed67c610b21d3d6091c2e6f789f69872bef20eb26bb550c8dd95

SHA512
1be1e7adc48a3d98b21cd9898a72e090af30b38df26ace78e95b7ed48c14e7f090121254267881495b6bcde6352d422f5df919e1b884e8e132e024719596281d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
fcff460cc30a62b2b5e956b1987b1f33

SHA1
95c42254f87f53c4737947ca294acd47701ea1bc

SHA256
48b4b77b84d631d3d90f834990737148ecaeaa71f909b4b6a920c8efc74f19df

SHA512
65ca03243226e9f44041ea9ba3e1bcd91be6c07ffbc0533a272da4c518b31a0603a1b261a3639acab8c1d19e91b38f4edf1b71a8da0a673b1357cf156fa6c727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.0MB

MD5
958036baa5f2203e8d5e3246407fa6bd

SHA1
f0f64260f58eaffcce396973fa42308100963a4e

SHA256
890c9a69966ed287d512634fa2088aa92c99ae0a0cfbfe7765242584b2ced6aa

SHA512
ada4cae42073e66640511ef1acc216c183a1e1627bbacbe6dd2ced235f1c883b1ad2983cea9e950efe6ba227478eb6640cb76bc772ec95e48243a6252baf6712

Download Submit