6d0b683695df3831aa8753ccafaa80243794ed10cf5ecae53f423066338e091d

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
Size

3.1MB
MD5

1b000262b7ec3ccab0b3f80f90a31930
SHA1

ed26d834a1a84a5fe0af223a3e89fd80e03b1a46
SHA256

6d0b683695df3831aa8753ccafaa80243794ed10cf5ecae53f423066338e091d
SHA512

9d019b96883bceb88dff961040626c7eb28f74b17dabad4bed841c732087d5bbe0225ea309b341160b83059eebd19e2424cca4864a720852fb24166af6e37cf6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2868	locdevopti.exe
1916	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotE3\\xoptisys.exe"	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRL\\bodxsys.exe"	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe
2868	locdevopti.exe
2868	locdevopti.exe
1916	xoptisys.exe
1916	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2868	2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	98
PID 2664 wrote to memory of 2868	2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	98
PID 2664 wrote to memory of 2868	2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	98
PID 2664 wrote to memory of 1916	2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	100
PID 2664 wrote to memory of 1916	2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	100
PID 2664 wrote to memory of 1916	2664	1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe	100

C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2868
- C:\UserDotE3\xoptisys.exe
  C:\UserDotE3\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintRL\bodxsys.exe

Filesize
1.7MB

MD5
c063e5c6b7580b2ebfd8b81b8742e60a

SHA1
ae3e50e9b3104b6737c7c0eef7dc36aa73402f9d

SHA256
268585f8bfc8ec60e74f6527b77a0ab0b01f9200e376938b6f590610df61af4f

SHA512
c1ddbd26f86a255489bd5ce9d5fdd19c5e497b78fe50d528a3959148598583a3455fac123d753b129e4c16ae83ffcf2a7bf268cba1b92b22c02b0426ac05c968

Download Submit
C:\MintRL\bodxsys.exe

Filesize
1.1MB

MD5
91338e0f6b3ac1ae484884fd72bf8c19

SHA1
9c48300fc2556728f4a48e7acc97ba552aae6b56

SHA256
acd6c2c74b6152baf4de79434a117e0f705740f6bd4cb7e7dfdcc958dc70e561

SHA512
a721dddf79dfb32b03c0ce7d425a13fa28d16e4cf327ceee60c8c23ce3bdfd012b5cba8d0bb0484a127672a1fa3e45cea38916d2b67eaeedc8d544c4829c5b95

Download Submit
C:\UserDotE3\xoptisys.exe

Filesize
64KB

MD5
1fe0d14acbae1f4503fe3c851d715a39

SHA1
6e9ecb695f2b07b82aa67f8a0c7c244f7baada13

SHA256
61af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574

SHA512
5bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583

Download Submit
C:\UserDotE3\xoptisys.exe

Filesize
3.1MB

MD5
f9db04001054ad3864f94ca845bece03

SHA1
48d481215c00a77db6757d4ed8a8f79fa4cf11c5

SHA256
d9ce85c4b24574bb5df90d866870a7d9090c881754ebbf3286d4d5f9a851c391

SHA512
e5a7a06d9ca4c36bdcfff34d80477127ab125800fd13235f039215fcd50f6cd5e5c9b8401294811f9044398039e81c92ce95324fcb26dcb334f7b8867337f8fb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
8a9edec53cd33ae5475ff88f2d49ba82

SHA1
4831198ab73ad3cdda12d59715f25c170d39a38a

SHA256
7e92e151cf635b5ee40362ae29d44cab98c69da07579e414fa71668b2dbade65

SHA512
0b2dedb892c73aa6fd2df5960d322080892e2ddecf523afe3b8e172461d30a4c65378f198b6b249ffa32cd1b58361154b90168f58a3b529c6a9c5189ac70772c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
c401a09701c4bdc9faabf5d675d9a506

SHA1
abb7a3c4724e33a3728af800cf7c98b37b5eeb54

SHA256
0fb780aeb6e24f0d9327d35fbb75f219377646a250f87400d9f953763caf6984

SHA512
e3e1240e0ed2d437b40260f2b54b2b546a73a1a68cd8604a9ba3b2289e63d30b12f3a446cf860ec9c363d087c9c2280a6b993bede5c3c0fb47941059ed8652d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.1MB

MD5
8dc3be9aac67d1935813dab2f1142328

SHA1
49f961e4ef92b18f1d555bb4bb7073d055c7f5c7

SHA256
d384c10eb2f6dc9434f7e7491e13a404ad75787f45c8450f247acb5b5ef5531c

SHA512
0e30115465ab76a9b1478067e1946962a6f1bbfc6b0c70fd5c58a05d09ef156ed9bc46a342bac54ea3f16453094f53d0b9d69c1c69fc011c968dfc5613efd829

Download Submit