e39512682c0be56ce868cd235dcff9cc304b28bfabdf2233f696e605dacb7103

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
Size

3.0MB
MD5

12e16a008a5813732935972704d9a290
SHA1

3fde23c769943deb96ba0150f7d1d555c69384d8
SHA256

e39512682c0be56ce868cd235dcff9cc304b28bfabdf2233f696e605dacb7103
SHA512

1906770a2a1083c283d7d03930a550039e7834500a3d68157b1d6a237edee757ceb9eb09db0893aa33f45ae9e46edb430e72716451c2500006c9de6afeee11c7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX:sxX7QnxrloE5dpUpXbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
452	ecxopti.exe
1484	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeD1\\adobsys.exe"	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVQ\\optiasys.exe"	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe
452	ecxopti.exe
452	ecxopti.exe
1484	adobsys.exe
1484	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 452	3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	91
PID 3404 wrote to memory of 452	3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	91
PID 3404 wrote to memory of 452	3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	91
PID 3404 wrote to memory of 1484	3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	92
PID 3404 wrote to memory of 1484	3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	92
PID 3404 wrote to memory of 1484	3404	12e16a008a5813732935972704d9a290_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\12e16a008a5813732935972704d9a290_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:452
- C:\AdobeD1\adobsys.exe
  C:\AdobeD1\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeD1\adobsys.exe

Filesize
3.0MB

MD5
021dee4790f40dece6920c077b326fd0

SHA1
db8a5d18e24be178674613e1eab83e7cb159f685

SHA256
42086d70e208cea525e1b0139ce986a43286a4308adf98e5e13f640412eb0b90

SHA512
4d530fd6d236ae2cacbb1dc37d8a5a361a015b4f4a32b6645b9191aa95f83111fc8e53b9ad05a75a9326a7994f474c12a038aee13580be9387a2c4f47bc0fa06

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
2db98f20a6bfaa9553df7ed730f9f6b1

SHA1
c55126eea630490842b94a4572bff47185eb27a0

SHA256
12e688eede72c466a58a3c90c5217a9695e679e46ea652cd8ade3fcdf6301a0d

SHA512
75282af6009ebe276eb955d8eefe6d954c8e7c9818be9a702a9d7051a01d15f950f6e85c6c04689601c6959d23ef78cb2ebc096ea986c3e5f986f69c825584d3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
624929d32dc58fe4b4eb50841e2e195a

SHA1
358b1043556f3625c35a1d93da330b16fc4c8d66

SHA256
137b4b20424ddd837ad6b033fb64e61dd249ad74e3528943e2ffe6af99ca4050

SHA512
bad4e00f2338bde9ea2a87b1ad88f22fc20c8f16f60cf364e063356a9f1115265da3ba734bbe904b40323ed56137293a60b508db6117e39fd0ce6277eab62e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.0MB

MD5
44f49f74108b95e37c4370c4cb9ac0fe

SHA1
456cf5eece5befc08244ae7aaa0d0c7fa7b255ea

SHA256
3385b6e5d668e99fc0b2b0dbb7bf1d10a692df9c9ae7456f8cd298447ca6cd0f

SHA512
29fa5c0fd9f07f4d09f435d7b5247c8302b9e99c41f190624be085039fd912150d1b8f0de1b034ded9fed4515432c0076d7facce34a97a1e36684361f3ebb3f6

Download Submit
C:\VidVQ\optiasys.exe

Filesize
3.0MB

MD5
7c5f3ceedd0e9401c50ecced07ae89ad

SHA1
30572060c496129bb5c041ae25c0e0ab1535b0fc

SHA256
71838ae72eaece9e28a959e4a3a534618b7565ccc1214aac7b7e81a2d39ebf8f

SHA512
68c1f529973b6c0e5e0d5604ecab89b59731e2ed9fa4278ff554778076a0b5c8edecbc48480ff6b8880c95dd71f870ca2611242c748f654f5b5a8dfb958593ef

Download Submit
C:\VidVQ\optiasys.exe

Filesize
3.0MB

MD5
9132a7e20726c7300231d0bed3bf479a

SHA1
72accb2027d70b1cd9832270220306d0d4d5f1b9

SHA256
5e3bbdc680f4acfafb4c8a5015cad44259885142a4aed523543f8603a47376d2

SHA512
8288d560db993c8ebeb86f9c9a37872fdf695a27883c62bfeef61a83caddcef860994ada7e72d16f3d73fde6cbc5d0bb5af04b9f16239bbc3423f250e36e270b

Download Submit