3a835678904644b34212899ce82623ef796884a131ae4d1e3936e20fca1a0808

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe
Size

3.2MB
MD5

3e01c1ad06f557fad510b9c2c070ed50
SHA1

54c794a6f3b371eb444071dbf6180e9c8b4aa09c
SHA256

3a835678904644b34212899ce82623ef796884a131ae4d1e3936e20fca1a0808
SHA512

02e33904378efd7bd3c3a78ef2b17901d1d5eb6ba05e29e16dbe6cfb471f07bd07d04683dec80401df2a6e5c2aabb80a3c19c4d24d637560c18e04f4d8abdbe4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp0bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1512	locaopti.exe
2944	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe
1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4F\\devoptiloc.exe"	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNY\\bodaloc.exe"	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe
1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe
1512	locaopti.exe
2944	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1512	1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe	28
PID 1632 wrote to memory of 1512	1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe	28
PID 1632 wrote to memory of 1512	1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe	28
PID 1632 wrote to memory of 1512	1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe	28
PID 1632 wrote to memory of 2944	1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe	29
PID 1632 wrote to memory of 2944	1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe	29
PID 1632 wrote to memory of 2944	1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe	29
PID 1632 wrote to memory of 2944	1632	3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e01c1ad06f557fad510b9c2c070ed50_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\SysDrv4F\devoptiloc.exe
  C:\SysDrv4F\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrv4F\devoptiloc.exe

Filesize
3.2MB

MD5
0d65edae03518b8db768ddfa437592ce

SHA1
a9d08243f1dcfa5d50adc8bdf0747f7426cf67ce

SHA256
64cb68e3790b378fa66b832ad0ad2a1815f9aebd07149a375c5d6df62f1a3b42

SHA512
882479d4a1fb4e2635508f560deee638845be1a2b8f6dccd1ac17cf0695c05d828e91fa660f72c3193caf25e8b1956fb0c214b739543b843bff21604d4564dcd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
fbb24019c8e7c1e4aee8b89ef33e1d7e

SHA1
b9504943f6dd5c045339229832e7e88f4314d456

SHA256
f55691f539c59a4d051bca3af2fe602ed880d2a9434dfd8a79b38f491ad992ea

SHA512
89b9de2f39388ef7d0c313f04c39015e177f436d3aebe3faac9dce78d15c0c37e00c2bdcbfe0ef59eeba343b10b540e02948584b93b9ea827d6d0907b350c7d5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
9cc68727ec8ed4931ffbdede1f120caf

SHA1
06f32c5c8951eefcd133d1b8b08da4bb2151f4a3

SHA256
8c46ff9071f3b7b4c59136fbc469ef7240d2652e56e2f66d09b7e34c254cf817

SHA512
3fc8a476fb59fe16fd3b6d8d1f6af769adb21724532142aae5c6e16c58b418e11ebb28c38975dbdfb8f7c44f46c90e94863316898a131763026c99263ee5a20e

Download Submit
C:\VidNY\bodaloc.exe

Filesize
10KB

MD5
211c211281a83cae04ba8989e177223a

SHA1
2c6a912a90ce71ae095e8f16a97222e28964a271

SHA256
c2beca0f3cf592fda96ba710769ff2d67fd97592da9df195990bf22499d20a4b

SHA512
10dbfb3c33737e1b9a691fdbb89cea3f018443e481d57887d53a605597bc3ba56db26480f2efdbf443c71b4f4a0b594257d8f34f4cbd7826ff71936f4b5487eb

Download Submit
C:\VidNY\bodaloc.exe

Filesize
3.2MB

MD5
4c3151ad842aef2bfece92c595821c24

SHA1
3d988708842862f0f381870b91045d27827c6bf2

SHA256
dfcb7944ba3a459ffaa4e85be860c7050f4da4b7c5132daa254c9337cae67955

SHA512
1da9f88deb3664e696672f06e92fbcb6593ab0760e50282644b66ba6b68954aa7f6e7d33d32445cb3912c2a73cf45628602ca1eeea74673236849575ae68bc9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.2MB

MD5
7791813f28678e8b6e14ac715197a430

SHA1
740ab62320cfcb2e502245ff5a58b55682204ff2

SHA256
13156612bc88f07c33ac89ea46f2c488c00bebcba95e766cf0a23764d8104b11

SHA512
aa470d292370092b6eef7b8c6cfdafb65d34b0ae2882bb6a1972e112fef0c58a650f7b73018646274f9a464e0c6608fde6316b4f8e148e4fc2618a854263ec2f

Download Submit