bdd14e96463ca11920daecf24416b679232cab79c94f43501fc48811e70b8c62

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 01:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe
Size

4.0MB
MD5

1d2f1ab87ba9c15cd5ddc3caecf0be60
SHA1

428844667b739f97abdc88282dc28b387c71b867
SHA256

bdd14e96463ca11920daecf24416b679232cab79c94f43501fc48811e70b8c62
SHA512

c2b87cc956ac4e07024b771a55a095549626b32e5287a24da9f095509b93ce32135f01f896fd29df729986aef29a2a557227a1223c1fb77be39772daf1edd1dd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUprbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4504	ecxopti.exe
1264	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeI0\\xoptiec.exe"	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8A\\optixloc.exe"	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe
3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe
3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe
3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe
4504	ecxopti.exe
4504	ecxopti.exe
1264	xoptiec.exe
1264	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4504	3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe	85
PID 3160 wrote to memory of 4504	3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe	85
PID 3160 wrote to memory of 4504	3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe	85
PID 3160 wrote to memory of 1264	3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe	88
PID 3160 wrote to memory of 1264	3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe	88
PID 3160 wrote to memory of 1264	3160	1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d2f1ab87ba9c15cd5ddc3caecf0be60_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\AdobeI0\xoptiec.exe
  C:\AdobeI0\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeI0\xoptiec.exe

Filesize
4.0MB

MD5
c12772705385739d0472f601cfd2faa6

SHA1
f2a4dd6787b13333b6b9774c344424f5b7570395

SHA256
39ccfce9505d99003c094b596c4014482e710b010c675efb38fab5b12bbaa894

SHA512
2f31eb884cc4b8f7d22baba7195d1fcab310b21dc4bdf5515f4a75f39eba993f77e1b35a4e8aacd6448754824d413a1b7c8ad9c05fce8aaf2cb2f49307dbd445

Download Submit
C:\LabZ8A\optixloc.exe

Filesize
1.2MB

MD5
211f25780a949ecc47fe103d46655355

SHA1
9e61828760283cbf311ef63c6da4b54bc8e38bf4

SHA256
03491075aed567421202b9da1912d5f0684570b8bfcfac389e16ecab234affe3

SHA512
425b07a8bcade19beb7d3eb2c68a5c38fac85217de4e8894bab479305438f7596b76f74008bde826ec59080a7a764188687505f6ff96e044ff9027820a3b495c

Download Submit
C:\LabZ8A\optixloc.exe

Filesize
4.0MB

MD5
d4e327d29cf8569373d629a32e01aa77

SHA1
ca44fae062d462812872fbaa15ca8502343a77aa

SHA256
702a5d80c79514304ee0b9551a2c3303b26c44348164d2de69bac264993c7b8f

SHA512
25d3f70d8077651709cbcfb1789e03b6855bfacc9bdc8ae29aca4f44ee54bc548210e0d79b1130896e2890c439b8c1beceb8cc999bde63f71b048ade1f75afb3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
70a64da37d0d956e958b69e7732381c8

SHA1
79cafafb81300ae2506f7380e428a7bfcfdeb4a2

SHA256
64c51b1e98cd26d500376bedc69094216c40094d226a85386b2a31b1f3a88aa2

SHA512
5a9010def402323e30070a9653dbee2e0dd8bdd1e2f03967e0edc7cb72da90322a106cd868cf813f6b33a5043fdda8c885b43e0c649868a341ad775f5f6d8626

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
17ab9c3ae34b0fd54bbe1e57593c50d8

SHA1
aa00e7e9fd4ade6cc4ef8fadcabbebbdb86d2ad5

SHA256
5bd7de89a25bec119e10da6fa9f8a286772c8870c0e58625e7b75f36866d57bc

SHA512
a6e6a4afe39cb0fa407e40c147070d4985538ec50dd7720ea6f5bd124ed979c30205479290df609362d4d95de043451e8d15c862e081bc08489f4cc27f2c202e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
4.0MB

MD5
007bd6ffe1d0e79b17af9d102858ea08

SHA1
5d1c082de038d7ca7fc2d0cb2903c2438421e85e

SHA256
b5e4a9cd240a01591c60d0650d7fbcfd18f43e49b7041b7c522a9bbdbc12bea2

SHA512
cee89150a158837d947f6ad33c3def195e027836e554b9e1a14c0bbb15eada9ce537275d64e217571b6dd618f29bc7168c05d58a36e57e20c2c65f78231f2559

Download Submit