57df87970a736e06ab9dcf31faa36a3845e520a7c480d8d135f5ea5231df4b2d

General

Target

248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe
Size

3.6MB
MD5

248e4f9ae58ecacf8c449aa8d2672a40
SHA1

740b7d7287adef9db67e889a74705038b48b8ba2
SHA256

57df87970a736e06ab9dcf31faa36a3845e520a7c480d8d135f5ea5231df4b2d
SHA512

b844ab818e617c9f36259373966261c8c3d2da65596a7392e28698f9d4cee9cfba265cdc2f557eeddec49e6cc2b33ce4924627e268c9f5eac4a8baab2931951c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpVbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

locaopti.exeadobsys.exe

pid process

3284 locaopti.exe
3976 adobsys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3284	locaopti.exe
3976	adobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvO0\\adobsys.exe"	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRH\\optidevloc.exe"	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exelocaopti.exeadobsys.exe

pid	process
652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe
652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe
652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe
652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3284	locaopti.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3284	locaopti.exe
3976	adobsys.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3284	locaopti.exe
3976	adobsys.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3284	locaopti.exe
3284	locaopti.exe
3976	adobsys.exe
3976	adobsys.exe
3284	locaopti.exe
3976	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe

description	pid	process	target process
PID 652 wrote to memory of 3284	652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe	locaopti.exe
PID 652 wrote to memory of 3284	652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe	locaopti.exe
PID 652 wrote to memory of 3284	652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe	locaopti.exe
PID 652 wrote to memory of 3976	652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe	adobsys.exe
PID 652 wrote to memory of 3976	652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe	adobsys.exe
PID 652 wrote to memory of 3976	652	248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe	adobsys.exe

C:\Users\Admin\AppData\Local\Temp\248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\248e4f9ae58ecacf8c449aa8d2672a40_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3284

C:\SysDrvO0\adobsys.exe
C:\SysDrvO0\adobsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvO0\adobsys.exe

Filesize
3.6MB

MD5
cc87194289425c414d983069375cda79

SHA1
faf622c92ede54032be1918f1606fb2e76905ca4

SHA256
7e1624905cb6d8685164363db18db8f943b65faa206a0c121e84d5afdcf22f45

SHA512
9195308134e46d62509411124f457ad4745787eb3833ee5944e7ecd671db9baf9a4af059f9f9eb84d7a4931163aa7591b27f35c4419a0b91ad7afbc3bf21a363

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
e806d9d212ad0f19e33fc484e4106ae3

SHA1
d677409bfdfcb51355444bd572e6d1a6b6dff502

SHA256
044060771668fd471ffd0bd910640825fbee8aafdde9dbaa1b1939cc6d7d0ef0

SHA512
066b88a1d9238fd76489408ba5d696f43957504b43f8e7878a996387b4ee16a13e0606038701225498031112fd3f78c0facd336e241086fe38f5525cf234a6e0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
7fb86c6a3c3d8db79b46489fb26ef3db

SHA1
5e117b1a5ddd5129f395fc4c4effe570c08f96f3

SHA256
b5315aef900d2de30b69d162ee848d27fa52bf05f6ee7a899b5bf9dd9655ba0e

SHA512
27aa386d6674134acc5f846902f598d85ff568d69d2f729a08b592f0298e59c582ca4da9738e5f85dac6b2959fc064ce0cdd666ad1e381cc89786d6fd9f35c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.6MB

MD5
e225bf08979fca262a2f5b39c120dfc9

SHA1
41c9d5cc3c293ec8fd86cfec479be2cb97ba8d31

SHA256
27667d03bed3ac013e48d55855de7d7060545f182d981147c50eb8e6d2786697

SHA512
6427b309d315c732d48453c34ee4cd06c577e01286eab028d7cfec242ecbe6952355f33abcf55564dfb7c65c89a1570b65239d0359b87e9aea7a64eb0e754917

Download Submit
C:\VidRH\optidevloc.exe

Filesize
3.6MB

MD5
1469ee9e8fddd596248d73f0bb3faa52

SHA1
38197487e340aba1dd20b0ec19a252355c4988f7

SHA256
964aa303259e955d25b0060db8458f6051b5237e5aaa8e756858ad7812ace2ab

SHA512
456dc75e14be9d49f12703a3e41650b1235b195250c312ce66f91a92539ad6b4c49c5a2c9ee2a7b44071c11fe033fcb901ab3878a16f90d2345c9a9f3f2ba6c8

Download Submit
C:\VidRH\optidevloc.exe

Filesize
3.6MB

MD5
877b6b5e8dad5f042aa194f3e5df29b8

SHA1
2d2d5723404cc2c8382563a7f474f6bfb4ee4ab1

SHA256
177f8e2b7c3da4a76b23cd47fe74f3b5ef0e6795a5c3007b7d3f87baef6fbb62

SHA512
998703a14d1450e4a63dc8309deba505447d6bf11afdc1906e5726b7679d2f9cf72d8ceb1a1031b15a02c85bd7f20cb522c7050017372e27baa33abaf6598c88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads