0ae27459fb59f93ed9d89089c0ccea80baadd407b7230c7301fd84fe01637620

Analysis

max time kernel
149s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 19:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
Size

2.6MB
MD5

31af83fa45af8abb9e814e4acd571500
SHA1

9ac56a07f2468ab37ed12fb14000a262579d2a7e
SHA256

0ae27459fb59f93ed9d89089c0ccea80baadd407b7230c7301fd84fe01637620
SHA512

9697b3ec491d2d6a4d3b915665cb67a782a1da8554ffea96926eff7ea7362877d4b21ff077eb1f8266c7873438088eccceaf160b8fd8da9e5ce719026132c589
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUpXb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1872	ecaopti.exe
4064	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesEX\\xoptisys.exe"	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax9O\\bodxec.exe"	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe
1872	ecaopti.exe
1872	ecaopti.exe
4064	xoptisys.exe
4064	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 1872	3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	88
PID 3244 wrote to memory of 1872	3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	88
PID 3244 wrote to memory of 1872	3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	88
PID 3244 wrote to memory of 4064	3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	89
PID 3244 wrote to memory of 4064	3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	89
PID 3244 wrote to memory of 4064	3244	31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31af83fa45af8abb9e814e4acd571500_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1872
- C:\FilesEX\xoptisys.exe
  C:\FilesEX\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesEX\xoptisys.exe

Filesize
212KB

MD5
312ac801da99bd2f9040a19a077f69f5

SHA1
575cae10b4a905ee4a07f2ced1198513d56afb75

SHA256
e2e92a74dd30766f9efd9436c4f531fbd18521a2ba827df313428169cba731fa

SHA512
5465519163220070a61f32824852ab8ae5ab84367afb95b78538d19b03720409c82833d08e1012a6b6a5a71f0222a256f59c3f761555d7770eaac26111c756e2

Download Submit
C:\FilesEX\xoptisys.exe

Filesize
2.6MB

MD5
c6821706cee3c4036c6441b49bf2b942

SHA1
e1f4026056fcd5742598d1b2c5836788b9331bfa

SHA256
65a217de71f3f5e1af8b81260ca540df155b313334d7163a0d322cf2a7814586

SHA512
ff731e096e2a4a4a46f9998b06a7c9757c7e99be18d77bfe22ac9c4de340a164f0389d85b60614175029f6403bbef265c7bc1d1de5064f07c22aba8c7d703c69

Download Submit
C:\Galax9O\bodxec.exe

Filesize
2.6MB

MD5
f28ec0c7ffab92cd05add222b747a40d

SHA1
c16c287d08bbd6b92e10399cd6969ce71954b1aa

SHA256
c38e8ac24943d7439eb7a935d549467322058ebebc1242435e22eb3a785bf2fc

SHA512
76e9ded2857a63d788b008c994f898762efdcad2319113f04370b5c91a92e3df24e86181fc24f3fc2a69b0cc374e887b9448a28d90d40ead83dc6a5bb2c962ec

Download Submit
C:\Galax9O\bodxec.exe

Filesize
135KB

MD5
6bf5fcddfaf3a5217f16d1d22285d4e3

SHA1
52e20f51dc7815aaf238645bece2a2b0d606e400

SHA256
4241905bdcbe065b0524aa9dc8a1b96d6d134a1feaf6840dd64bf67a22ea12d7

SHA512
2cc7e4fb14368192d6515525518ecc6a8d6f0e54624ddbb9c6a80d38656687a8b68fdf69bbd2822a77ec6374609783359a5410c6edfc3dcd03b576b0454e57b8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
707499ac2f7c8c6d6cfe2c80373feabf

SHA1
3bc4ef01e8d9bf425db0de804a2a81c7e002d68e

SHA256
1c76da2848cc8f859b06430870efae817f222b6293fceb4a84146d54b8d84bdf

SHA512
839503695ab4ff16d038c7942ba8300a059263fccf3f8a000b68e18a52876e420f69ac6c606781912be0c8702a0e8704aeb7a239fff9c88eaecd87bb3dacf114

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
4bd42e8aeaa67218bfcbb13f6497bba4

SHA1
926237e2f4a18c2d0fa4c28f3e3062aa2edf482e

SHA256
ad096fba61214e54e0f11e29b57b285b638046546ff112b6aa9cd18d04e90189

SHA512
e8b833112ebc8661e3e8acd55923e7730ff02ec34c2bdb930dee547f64b9d79efa995544ddd23d82214650391be785df6f7cef34f5a3550daa80f644bc130343

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
dc5cc8c561f189320ec52b493e4f995a

SHA1
8e2788f49b28813212d8c0ad0135748a065549e5

SHA256
0ceb403de62b60fc2df2e6678f3a83055ee9b55f8d4d68e9305623413bd3d4ee

SHA512
11affb88847a672e32bb32728c9388983686d2073dcee05801b492701168b67ced85ad6cf1b75dd6ba2b78575b20de5fc94c8960d03d9fd9179b7d5b911f116f

Download Submit