c5b185d5b042e78a24c043af473e73af6daccd9d1c4ea57f2197fed4a4148eae

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
Size

4.0MB
MD5

aedff83800d8a0bff4e5adaae2d78250
SHA1

e6a6acc9f6419d1f427eb336ef4f6e21544f2d9c
SHA256

c5b185d5b042e78a24c043af473e73af6daccd9d1c4ea57f2197fed4a4148eae
SHA512

46f68ac1d7b81c518f94b7d7b521c073ff320e16797d9d18f1c5036e785f26c151cbd6302f3e98a1b7f06b485a9c55dd038aa2838c427718d0ee209434c48983
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1268	locaopti.exe
3044	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot3X\\aoptiec.exe"	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7X\\bodaec.exe"	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe
1268	locaopti.exe
3044	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1268	3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 1268	3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 1268	3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 1268	3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 3044	3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	29
PID 3012 wrote to memory of 3044	3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	29
PID 3012 wrote to memory of 3044	3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	29
PID 3012 wrote to memory of 3044	3012	aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- C:\UserDot3X\aoptiec.exe
  C:\UserDot3X\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint7X\bodaec.exe

Filesize
4.0MB

MD5
1ad5da181c5fab51f3ca4f0f66e9e2b6

SHA1
eb76dd7786323125f59e45be8c560156e2675ac1

SHA256
3d4224057f274d9513318ce6563f50adf6d4396af2d7e9cdaaf3bba3318a7631

SHA512
81c9a826b004e1475227bd20456362a2b7a1e22dbfd09ea36bc9a8ab8780ae2b631e0a7f7d32c7565f08756a91e873ab80a4aa03280bd66ebae88e1f47733a77

Download Submit
C:\Mint7X\bodaec.exe

Filesize
4.0MB

MD5
3a4e68be7cafa42e6fea334f209f5441

SHA1
f65c0068c250841e5e8e1191c9db390ec05c0a01

SHA256
6bc102e3ef166afeb0a0fb64615535f9f034e1cbdf4b2bee20cce991e1e2d8bb

SHA512
c70de5dfcd5a2d26d2c9b61b788adec571f27d3b7c4fe3066f14cc713a35b13b4b956949febb5f2f9e7b90d0bee26de227bff864e0e06a113c4372f9ebf647a1

Download Submit
C:\UserDot3X\aoptiec.exe

Filesize
4.0MB

MD5
4908d682ae0a9d89edadac49a167812b

SHA1
2edfc37d1259487fb66593e00c425048eb9095c9

SHA256
fec4992fdef2f1cb0704abf7fddad6ee8fdc8f6d22ca017078b2c8431f0fde1c

SHA512
b0809f443943d0b0c3f28e3a88fa6395c904c25485a40ed58f17806a3572f3a5b1339e6548600fd09b366bac63fdada57047bb75888bb188bc057abbe90d14ee

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
46484834c2f8bdd3096aff98b39a18f7

SHA1
efc76872a0480a34d86e3fd00dca717d9e5b37b3

SHA256
e1a1596b277be11b8fccc8eece9b6a86e6112c9821fe821ddbac745c448636f2

SHA512
077c212ebd9ca3ec976d3ab277d5d055e28a08f5ac5aaa97d477d059f9cc2f5089a099a699e0a08cf34032b5727b103dcd592a19c3bca12eff0dad1c60635d30

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
3f91e1cbb75731340b45619000ac4de6

SHA1
15720603e5667662691d8281c6ee0a02e40c7fda

SHA256
53c60f6a84377fdd11c63595ba53eb2286b70066f25133fa83b768076207b424

SHA512
343a4e7a76f0add570fe54e4a2a4c2847ac2ca76583e29b76dfe029efdafb8e83eb0a0d2292e6bb110415acc289db90d7d8424861d0e53724353a1a77592619c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
4.0MB

MD5
f38e7decb4bd820e9608fd0564ab12ea

SHA1
d60bb62696eac2a50bdeb2b927ea66b140a605c2

SHA256
b14941024fcc97fabb8fe56bc77fa67559b8bc708d1fe7a81062232311936db1

SHA512
33db64629248bfb990636d07b87088b2dd90d064699cad475eb62cff7f908bdd8509324b9f78ea9c42beb66c6a49263b4b818236521fbe73240d191af148551a

Download Submit