0f71cd9425616efad6c00696769ad12080cf491daf00bb79811e2bee8c1bbe15

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe
Size

3.9MB
MD5

79282650946aa061feda7bb4f0ca2870
SHA1

9b08233ee7c898a0a247c5cb379cb06cf660d597
SHA256

0f71cd9425616efad6c00696769ad12080cf491daf00bb79811e2bee8c1bbe15
SHA512

7f92abff390cb1d0462cc9e4a9cd5004f91108fa7e76a06478ec3e285d070520f329ccc9315cf19b3baa1f47185be74dfddb986f788dee64f2d2887e25575d3f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpYbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4428	sysaopti.exe
4092	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPG\\optiaec.exe"	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9H\\abodsys.exe"	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe
3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe
3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe
3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe
4428	sysaopti.exe
4428	sysaopti.exe
4092	abodsys.exe
4092	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 4428	3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe	91
PID 3708 wrote to memory of 4428	3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe	91
PID 3708 wrote to memory of 4428	3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe	91
PID 3708 wrote to memory of 4092	3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe	92
PID 3708 wrote to memory of 4092	3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe	92
PID 3708 wrote to memory of 4092	3708	79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79282650946aa061feda7bb4f0ca2870_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Intelproc9H\abodsys.exe
  C:\Intelproc9H\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxPG\optiaec.exe

Filesize
1.2MB

MD5
7ab4ee59c30218594a9de6fd4a8cfc1a

SHA1
86f9547a24e59c3766c153148e270b4542d4053d

SHA256
411e5de4b6f5585dc36ddd1f76056b9fb7a015bff7944cdad9e6916cdd90c95c

SHA512
4ca1532fb4823b46d4ae50d648910f6cb2478117bd11d94e8ef5bb704ac7c977aa48649bed43ab042204c6b7f4bd81d14eac07a27d54ae77383c2fd8e084ff23

Download Submit
C:\GalaxPG\optiaec.exe

Filesize
3.9MB

MD5
0d0a7a043051eacadd1541323441f79a

SHA1
b2d76ec21c85c41522ab950913d20888e3392e0c

SHA256
6c1f2f2ff5d355c0a78ac87a80f76b3a3ca4de87fb5d57fdb65ab821cb15dd3f

SHA512
3a57be10d6d8719c0bfc1d14e6aa960d87f7024b91b4f712071c42784fab9feaa1d8536982537a741810af0a997d2a2625d784784114a550819e2504ddf394df

Download Submit
C:\Intelproc9H\abodsys.exe

Filesize
3.9MB

MD5
374cd954929ef5a2e1664d2547e9166c

SHA1
f21aa288b340699ef53e4231336329f8e11f6709

SHA256
bef18cf9214767e7662fd8cd63790c147d5db9db97786778e6f70fff3f1ef296

SHA512
c2ab6fd067a1dddad16ef457a733b850793073fb25d0f04910867196b2423c50890f63bc71193952b6e3b4c7f024dd26360fa330c14dfe71829e4511d0eca8cc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
30a1a6e494b603dd375b67e2167164fa

SHA1
87025e456e20370dab0108dfca1b85d447ac4104

SHA256
dcab606dd8a28783eb3b819b3390454f8a7cd19b3a9f6c7cb0a16ad59282428f

SHA512
eb44c240ae0f866b954a74de7ae2fc086a661df3f0a60a37343a39570a988ea9ffd850fd01853897704e51e81afd60ccbf67806be37125c860d34f8aba18d88e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
77e353e3de008b93d4f2cfcccb15a42d

SHA1
986a71a016c4518577a189a24009d8a6319df90f

SHA256
29b489ad86e775a8b2cdd7e8dc5995810753d0b4bb78653204ef8d929725c61f

SHA512
926b695f49f3ce51ac5d10351ec2fbcb23121f690f0962613eae6359fe79638b7c4eb7fb4c922ac21a122ed531ec04f3de11fa7ebf624ebe59bc8a032f52e97b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.9MB

MD5
32bebba1c1621a5162935abff77db880

SHA1
52cb1ea965b94fd4b53a5bfccd5f049ddc7950d3

SHA256
8b5009a4ac7e735d91e3a89a27b09bfa8f2ec7cdac2a86d3f5f63f81d8812a14

SHA512
3e428f677267c53a57d6c261e144b7d59412e763f80e3a1a5829b7d21347c32cf0f41f45a7689fd4365c8c688ed9dfb91ac88e6d6571dd09a595fe7df74ffd7d

Download Submit