d276d9f389dafb93af016e1bb14a78c1ab84283c58a8eb92f7d8e82ccc7c8d20

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
Size

3.0MB
MD5

28bbf812878661f90ccbda967e5a3010
SHA1

c462ad377cc3167688f02d48442d19732d2c3b3f
SHA256

d276d9f389dafb93af016e1bb14a78c1ab84283c58a8eb92f7d8e82ccc7c8d20
SHA512

dce6ee65fdbe8e921a2b0ecafe3545be53eb153b1992c09de6757444e17e128aa0373674f6441e998b32055dff96c6abe5ec236e40ad8e4e08134a4665ec681e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8b6LNX:sxX7QnxrloE5dpUp5bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4912	locadob.exe
5048	aoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8J\\aoptiloc.exe"	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBL\\bodaec.exe"	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe
4912	locadob.exe
4912	locadob.exe
5048	aoptiloc.exe
5048	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 4912	2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	87
PID 2960 wrote to memory of 4912	2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	87
PID 2960 wrote to memory of 4912	2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	87
PID 2960 wrote to memory of 5048	2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	88
PID 2960 wrote to memory of 5048	2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	88
PID 2960 wrote to memory of 5048	2960	28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28bbf812878661f90ccbda967e5a3010_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4912
- C:\Adobe8J\aoptiloc.exe
  C:\Adobe8J\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe8J\aoptiloc.exe

Filesize
3.0MB

MD5
9be8f86ff5bfb3b2461f15f2d731d605

SHA1
2bebfe37e0a1d9ea1ce0e7c18fd8993a3cea12e9

SHA256
c8ecf5598a3888beb8a9eb7b745210bd19b35a611d6e8ea30b22da4bc40d4613

SHA512
e41475f935e6229d1f6c520cf457e90fa5a1fe3dc624802e15cbb7ce451cbcc9e4290c9502b88192d1010eb27bbbb842c31fbce3ff477d89436589774e75119c

Download Submit
C:\MintBL\bodaec.exe

Filesize
1.4MB

MD5
1846af9e8b55558541978d7c56478edb

SHA1
547f27f580ed217db608fc58faecb1dcb3b7543b

SHA256
7c6db1f5dd41aba0b5ee24e4372b0e3cf316d0b24b7ccdf6d15f3d773aa5b4dd

SHA512
863a883ee684a9eca2ce85aa2a2cdeae7c5dbaad9776f5795f2cdc6cba19fbd24e571c2981520079bd260f48dcffc8b1f42a9d9f65c2582894b1d60f6e94df9b

Download Submit
C:\MintBL\bodaec.exe

Filesize
3.0MB

MD5
70c3693b6a5ab8167e8fc6a876d479e5

SHA1
c43d8880f2472ecf70ff93251b03683b7e558bd3

SHA256
4d5c78f334afea332ac16fc29a04a53a3c4ba60b20329cea72a76a3c97413ee3

SHA512
6f243cabb958343009f7cc9a1bce5abe863b2f0461773a3d18f0c8c7f1cc2328a8f31f1884b7cc9acd9ea92286e609700d854876174b1804fe7fdc9e9aaecd73

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
c7c403102f068de72dd22be02aa30872

SHA1
91bbb6d39b035b3df46ec65e06083aaf3b1258bb

SHA256
9aab40be9732d3e3f1829d32e60dc8c02aa5a166767c26e6dfb35ae811cd8aa6

SHA512
b4cc64a3da2e4838bf6731d710576f2fa8ac9c5db0a5ea1c7abdaaf06d2ce9fd3bb3e352353485bb7e8baf62733bc57d3ea92efc5631d4ce9f48e195a3533b41

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
86ed307eb8de9c32f526fabd3cb2abdd

SHA1
4d753510d2f9dc94e3a617165a3e6f3cdd6cebb5

SHA256
2d09833dd00d624042b52ffc946c54d2307cb7b9f5beaa62df3e0fd584334890

SHA512
deb1303f0ba6adbf5c406ab8f1fae1ce29b77b9b3c24f39169de709b3a03cec412b23e5c6d0838acf62b6c8c995735f9e32b24440f0045f7f8e45dc56d832b1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.0MB

MD5
14205c3708d3c404a5246965bdc0064e

SHA1
1f9fc7fac390dd45c91e1cf4a488f0807732496f

SHA256
2f2bea7d205a24c1b2cf72b252b99904c8f1aac4f2cc3290539707cae793ee4a

SHA512
cde89afe16cb4fb87acf37e1aaa0c7f700c1d36c387a707f3a65ead4c88bd99282a63027507ea62adf079b737c27b21303635e61fe7f224a269faf44790634d7

Download Submit