9f6906f5adfcb9cf6858de673937449b4c31efe9adcf6ca6b58e5db25f013541

Analysis

max time kernel
148s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
Size

3.0MB
MD5

1421a7733744aea0ed2c02f6dcf0d320
SHA1

ba76e7f3e61eeb60cb65cb2d988af0fb597fa782
SHA256

9f6906f5adfcb9cf6858de673937449b4c31efe9adcf6ca6b58e5db25f013541
SHA512

f4c2b9e1ca9c8e978902ee69dc0d1fae6dd3d29ba927be291997e5ae242aa2742aa10b16b76d4c03f652b6adf1a80e980c155ac2c3f2e6a4fa14c95655b6ce56
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB51B/bSqz8b6LNX:sxX7QnxrloE5dpUpA7bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	ecxopti.exe
5072	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUE\\aoptisys.exe"	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4E\\dobxec.exe"	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe
2980	ecxopti.exe
2980	ecxopti.exe
5072	aoptisys.exe
5072	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2980	1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	87
PID 1180 wrote to memory of 2980	1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	87
PID 1180 wrote to memory of 2980	1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	87
PID 1180 wrote to memory of 5072	1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	88
PID 1180 wrote to memory of 5072	1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	88
PID 1180 wrote to memory of 5072	1180	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\FilesUE\aoptisys.exe
  C:\FilesUE\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesUE\aoptisys.exe

Filesize
3.0MB

MD5
96bdbf19588686c4d835b3a3cc6e311a

SHA1
a9ed60de3eda714593e65da4b9d8c701e1cb4f39

SHA256
1c9cec6e0d2425ac96cf0faccbf4df99534f851a828a3cfefeecf811ed4ef6e6

SHA512
8d729d8e1f05e8323b9b54a827d6d6f946b30e335a546af98e72948987e330f36e706d6e0b8aa5d513b7cc1161a28300c194fd7113ae62ccb0bc207823fd889f

Download Submit
C:\Galax4E\dobxec.exe

Filesize
3.0MB

MD5
e720696a92e1e729683814a05f0487a7

SHA1
624037e60675f8c035fce1b2e15d038c18785bb6

SHA256
5f2fe32b1d00d7bf9fc3ca9efc987fad8323d104f753dd9e719aa1a440476c42

SHA512
58281366a41c52d86c2e25de797541ae4e03aa30d2ea7ebab3c5d1df6fe5a74ad4aab9601f06f4a21ae639058d105b5dc8d6944d2db9ba7cd157dedf922e77a4

Download Submit
C:\Galax4E\dobxec.exe

Filesize
3.0MB

MD5
940a498ac8b3fa6e0745f99bef7e36e8

SHA1
5a5c6a94aa3a0829778fb821b9f948a2abbc1913

SHA256
bfd86b8d8dd5da3c16c02f1d43e6963b42e8a044c0edbe54443df4838cae5d9f

SHA512
152c3deb2d95e34bb26fbf25b95b6372c803c791a5a69b4adf0469b8cad15b3d63edbe9299272840e1576cbb6cf0ecb59da5e1027f5b8b3e04c7a736909d6c93

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
ea58d40845b8e797fb3cbefc4eafbe8a

SHA1
a9132e3bc8ea26a19ef423d572440544b47cc593

SHA256
268d39212b3b88739db76d2b3d1f92f2b6b92dd92dc7fb6f61f083ab0c81bcb9

SHA512
5854d37755e05d76c49faab07c05274589eb8df14dae92aba5c956b1d335d5a201323b0684c3a5a8b654c76200b6865f16cb90eb18969fad1b0e24e587dd2c57

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
5dfe1a4abc94c3ca155a2cb8a5d4b58b

SHA1
54adf2acea83fc203ef98cb7df35aa8ee87e83db

SHA256
4b8535a48876697c0eafc23ac6c3d04f4888e7dea462cfb4d44dc5eac4a62dca

SHA512
3ed3b303fd7644d8f511922b132d29d2e02ecb159ed0eca7ecbe7c2530c965882681ca448e316bae63261972046ec8840d34f347cbcec49da1f85cf4ba1d48bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.0MB

MD5
c7f1999a9de4d9511e884f6bc6d48f15

SHA1
908a881ba823353f782d8a8fb962a997295ee591

SHA256
e327ce82de5c4869ddf497b8ab565ea514a76387eba8649d222b711f2a84b047

SHA512
e6a71360210e2be1d69c848485c987f40c1670321c75fbaa53fc714543ab2651f9441826ec43020a57b04d91c6d245d5391aa779ca786ca280ee7fddb486b411

Download Submit