b29eb6b378dfa6f3eead0a17f792bce21fd37a932866f0c12e973606c580218b

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
Size

3.6MB
MD5

2f017349d32add3180a6dbecaf849040
SHA1

7b0e8709820705103cb411f755b4cfe00a21bc96
SHA256

b29eb6b378dfa6f3eead0a17f792bce21fd37a932866f0c12e973606c580218b
SHA512

e311acb61f212cf1a250b13048c665ec6f536d7b3a1df6586ef36dfb95362392c282e06dbf66c527c5280aeca070a60e45382ede2fed7e9d5ecbce16c3e47126
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpWbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1344	locdevopti.exe
3032	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUE\\aoptiloc.exe"	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBG8\\optidevloc.exe"	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe
1344	locdevopti.exe
3032	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1344	1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 1344	1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 1344	1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 1344	1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 3032	1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	29
PID 1932 wrote to memory of 3032	1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	29
PID 1932 wrote to memory of 3032	1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	29
PID 1932 wrote to memory of 3032	1932	2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f017349d32add3180a6dbecaf849040_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- C:\UserDotUE\aoptiloc.exe
  C:\UserDotUE\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBG8\optidevloc.exe

Filesize
3.6MB

MD5
fc4cecaa6de5f5254c9d4c86bd778f3c

SHA1
dc41cbfc81c8b16c8376697de30e90b865ca125f

SHA256
753c87532c612ccc4d0583ee0a3d94be8c289e67bfa73152b5d6855545cebd58

SHA512
a4072a3a954a06e2424cb563cb7dfd19992948dbc2fb60192565f6416bdc3ecbac20f457dee523e92c69aa1c1c61952ecc6d3cc7b50e50b7304aa41b002df12a

Download Submit
C:\UserDotUE\aoptiloc.exe

Filesize
3.6MB

MD5
12995921da2742e7bfc07a7a9681ff40

SHA1
e97e520cfd3117800bf3d98221d72ca974f28864

SHA256
bfd7ff53c7334d93bf781b022aeb4c2d325b543bd34d7b154d1eb6b0486d9a05

SHA512
0937a94d3eeace773bf7017a99b7853beac2005bbfa50468885e1755350e3ff8eb5858bff4332121295f6b319110763d54a4cf7d69eca8b1ebfbaa9690384e34

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
177B

MD5
e576e4db6a0c3257be6973608aed7fb7

SHA1
3506e6cd3926ed642e70b6f2e32e67e4fb28d93e

SHA256
4c2366f636fff88739b858ab7a83f7809e27f09ea1d1e2fce7f50ad241223822

SHA512
1c766d053eb8d4bd2c1400560d78aa55fd81293df5d2d00b84373c75ee4c2b74e72f56c97d474b4570275f1317ce928a000c02890b09dc4a5ddcb815b8c08f4f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
7019c9c4357ecae99aaa59b2ed937f50

SHA1
a45ed51fe3ebd9cf9391f165f2267ea149d870c4

SHA256
c240f01c19d0842441daeaec30cd1e9b772668e08dbac72271bd5ca919c71ef1

SHA512
b1a38ac5f523199fe0012c50328f8db51e2d532e64bfe313e08c769c1625e9739df78a8c40fd1fe82e36bb1e96e18699ce791f71c79c823711ecf8ce8b3c98a1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.6MB

MD5
10e793bb927b472add70e8544eedd2a3

SHA1
718552bbf34549af8718b6b636df9c73b9f98f28

SHA256
f4561ae74bc81757d711a0558f6a18077060a649f12b379a95ef875d6e60e8c7

SHA512
4a46651a53cd8b074bae25429a02c72780ec6c02f0396e81c852556cc1e50fbc3374b829c4c862d1285bebec41ae9bea73a05802ac9df2489bdc5c710bc2fe12

Download Submit