3e68e750761c30c8c399f101a615288c0e44ed9930da562a32b99b22ad0d055b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
Size

3.1MB
MD5

229e20a0943c893e1fd53d72cb6073a0
SHA1

d19c0a52885b9f7266b806e3e338fce05b8f11f6
SHA256

3e68e750761c30c8c399f101a615288c0e44ed9930da562a32b99b22ad0d055b
SHA512

7b02cae53fec4e67de0df3c6e80587a41a2781b2185388c7e4436e34710492a79d2e8e1be408d542da1d594594885ad1c1be49bd79fab12f924be620d722ea33
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8:sxX7QnxrloE5dpUpBbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3652	sysaopti.exe
2668	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvSV\\xoptiec.exe"	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4O\\optiaec.exe"	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe
3652	sysaopti.exe
3652	sysaopti.exe
2668	xoptiec.exe
2668	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 3652	2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	84
PID 2352 wrote to memory of 3652	2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	84
PID 2352 wrote to memory of 3652	2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	84
PID 2352 wrote to memory of 2668	2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	87
PID 2352 wrote to memory of 2668	2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	87
PID 2352 wrote to memory of 2668	2352	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\SysDrvSV\xoptiec.exe
  C:\SysDrvSV\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ4O\optiaec.exe

Filesize
2.7MB

MD5
d0d039cb9a2bcda62e5bc7d1648ad1ab

SHA1
201ee80db25e001ca68c3029b08c644512b4cd7f

SHA256
fcb83f3e33fe8f4c87f4a9ba7687111612d14f7d99bf58819e5cb590e9982b1f

SHA512
d6e98d5a98c67c2fcfe8dc16cc7d6157cc4f4b556e94242ca859cb352d1b49730203cda5575610bce901b4bafe6ee387a16a709a3bebb83ac78cc1b23505f8a4

Download Submit
C:\LabZ4O\optiaec.exe

Filesize
187KB

MD5
a2eba23079bfb40b8d217c2d0df133a5

SHA1
bc84af1272317a1ab0a9c9b89834799b9467000e

SHA256
399ed41edb89ce19d18f643739715e27a7a4965c97b6258f02f730e2911be2be

SHA512
7838e884be25f52e846f0a070b2500542fbcab8fca86bae95394e93949d07f24983ad11e8ce424ce516b34eec8aa229a38af3936dde2bb305b419b64cc47dc37

Download Submit
C:\SysDrvSV\xoptiec.exe

Filesize
15KB

MD5
87e354be4aa61f8389e6604d1675efa5

SHA1
38bcbf38e1394145f2166766703749df80b20328

SHA256
794a732d2f891bfb9155ea0d8e5fadf6c486785b9bdac6abdd220ce2a8ae179c

SHA512
debe16cf4c6394d0deae3956bc8214763c4c74bdc89afeb8d6260485b813b797e7be5c2ee0451d765a8b95d2b39c23eb4141843e9767cecf2694d3bbc13552b5

Download Submit
C:\SysDrvSV\xoptiec.exe

Filesize
3.1MB

MD5
4321a9e82a53ef35ddb444fa3cc323a9

SHA1
a3f9b21224c13e19619723f7cc8cdfeca87a1c9c

SHA256
f3ca1426b7b0b12dfa15a404b5b0e47e19c92b0a8db3387777fc3b8939463931

SHA512
1b7fdee84172681cc56c97a7d66df925be1ba271d719a5815c4281ba9ea0768a26b38cd532f39714d611cc6131923d2763e9911a2f68381d7356c70539f40779

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
9b9efd06d78840b75ae08bc21cad83ea

SHA1
0396551f8e09df06a08301c4ce8ee35951b628cc

SHA256
24d7b9278a6b8208f1b0ad30b972a5148ee1fd586d91d47c050b6fd499ec02b5

SHA512
dae7efe3120887a1423b064bb59630bcb8427e242a25be97fc44dd3a7c082c05b28e2f79d14db5ea6036248449b7bfef7010de17b1d2bedf750ffb2e860b9e1f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
a46a0618da7c94548423d6c030e11b1c

SHA1
ea611552eaf5be5dd4d7044c9c597a4b917acdc3

SHA256
7a3138c456427c219986d2caaeca3d0e4cdee910efea9922e060261d47fff1dc

SHA512
24bddefb7cd943f3c3b3b17f8014e88c41946da398b314b9644a8e7940aee0840157403febf13c29142d7cf9ea4b1fe4b40ee7e24233bd566e0f02e740c7f4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.1MB

MD5
3fc227072dd39502b725c17d17b43549

SHA1
1ba9435a3bf453040d8bf6a46bbd858715e68ad4

SHA256
55735e4c52c7c8d9138f2a8c969136d955e73ed86c5f90f51f167d9067c14fc3

SHA512
3cbc77296f679b011e5a80338c4fc04a757fbeba09d3db7dae00771626e99242bdba683f122eda98e6b3c50020c2ee76f855c0705be290eeffb72d8f005b6312

Download Submit