52c236c9f69a542a08cef69cd4beef9582a41285b82972f559c2e5e79465e87b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
Size

3.2MB
MD5

66d1ccb23e0c6dea0026f8703dc0ab00
SHA1

53aa5303f537d3ab2208256995d0874e7a0235f9
SHA256

52c236c9f69a542a08cef69cd4beef9582a41285b82972f559c2e5e79465e87b
SHA512

e3bf54261375fa13b7e3b598ce9dbefcf4b8b612e3abf8cb541fd01310e80aa318e1453473128b0a97631422d0342211c3a843aa56fb03b6314fc10a203fe78a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUprbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2012	sysaopti.exe
2792	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4T\\aoptiec.exe"	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMS\\optialoc.exe"	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe
2012	sysaopti.exe
2792	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2012	1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 2012	1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 2012	1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 2012	1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 2792	1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	29
PID 1740 wrote to memory of 2792	1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	29
PID 1740 wrote to memory of 2792	1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	29
PID 1740 wrote to memory of 2792	1740	66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\66d1ccb23e0c6dea0026f8703dc0ab00_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\UserDot4T\aoptiec.exe
  C:\UserDot4T\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxMS\optialoc.exe

Filesize
3.2MB

MD5
25efbe41456a53b534c901c255e23531

SHA1
63ca37791abd5e8468aa1069c7ca5c9b63c076d7

SHA256
07f50b6a3ace7f44a24dd21b4984e6aa0fa674b61bd29cfe92055d0c4a6184cb

SHA512
f6f8d0cbc15daff6a077df7d5bd9e1b17f589c7693d8cadbb55396045a43025c2f16ac8dda988f7b954c9ab58f8185c62479435945cd95062eccb8d2213be33f

Download Submit
C:\GalaxMS\optialoc.exe

Filesize
3.2MB

MD5
876d2c9e4109f9cb8b56234a342ce248

SHA1
ff9ba4efef723bd08a90516a11b9d5929bce5fc7

SHA256
f3032e2a45ca82cb36ae7d9ea2074693b9ac74b2537e635c15104cfb8b35616b

SHA512
8811755a80f1829f5a504313d6b4b3bc7119514e40886bf3a35188a3dbc183105be859d7c24373480211e13fb6ef353339732c23396163c7990d894a5abab60c

Download Submit
C:\UserDot4T\aoptiec.exe

Filesize
3.2MB

MD5
ddca9f532b0f1283b4568902e64362b6

SHA1
59b3b1d09a0408c8df98c158d063e6fe772304c7

SHA256
8fb3ddf1afa50813456cb5d428bb85bed0aa3f0e704ce133a2d1c4de6c9e0eb1

SHA512
bd2c58f50a540bc57c873f86eebaa488e25ce44147c9082c28630d11838f9e5b5692f0634c7c1e0fae767a9385d50c3125819856dd76f41e76e4803fb28bbb4f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
1478251d564c08784a5930ad34727365

SHA1
00c5375cd809a4ce572f0fbf8fd529908b67242f

SHA256
80df18ef667e5f76c1defe5dca51645be9f793a17e84e600341d2488a73b5b02

SHA512
844a0b3a7c826eac1f8f112d73926bba64dc81122e413ded54a09f9ea6dd9534aeafb1f0babd82d83732845aebc3c9e33d6fde8c1a5cd577e52a61b3247de4f3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
614e3d83965e3bf4609db740b308a706

SHA1
abe157d4d9fd61abe610ded37d49a74593c732f2

SHA256
a967a04cd5ca963c32de390fd868e7ce00cfd38711807aff6af553675f9f2810

SHA512
936d52dccf48d97074e9ba65d5b9ccaf7a62a225aa27ac256b2b73e75799d4d52e0d9d702b034d78255ccde02d4789f4c3efc40e0f3356b4fa7b9729f0689c2e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.2MB

MD5
b6549006a6516ffc6c7c30496b13dde2

SHA1
6b795b1816a27bdcb13350a0f5229a6f7e3cff57

SHA256
dcf16f719693f17fcbff5eb9dba3c2485188a48b09c96ee29b5966ab6ed1dec3

SHA512
61ff61d571380a679322cd702f5858ef3bbd49517af63d6153f474d44d2e3ec273e153fdc3225230554623e68c2db92b5a8ebcdbb2de932ac47b86fef6b9746d

Download Submit