8080c22247e7f0f953394f7ad604765476cf7b0bad75914c6bb3a30e64411b3b

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
Size

3.9MB
MD5

3e7b0dc57b92277018f3d547cf294ce0
SHA1

c8c826bd8ab6f0925f3774066638d97d35db265f
SHA256

8080c22247e7f0f953394f7ad604765476cf7b0bad75914c6bb3a30e64411b3b
SHA512

7ed974da8672577d9c0a9c7f404e295134a770e927345534f3bff4eb378473c7d7f045577aa2b71ddc8288df9198875867036e17ba8e749b59461170fdd1d828
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8:sxX7QnxrloE5dpUpFbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2556	locdevopti.exe
2664	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvT9\\abodsys.exe"	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxUL\\optixsys.exe"	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe
2556	locdevopti.exe
2664	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2556	1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2556	1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2556	1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2556	1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2664	1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2664	1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2664	1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2664	1964	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\SysDrvT9\abodsys.exe
  C:\SysDrvT9\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxUL\optixsys.exe

Filesize
3.9MB

MD5
74c5c25621d5b04f1e773d37ee69f102

SHA1
909fbf7b784a91cff951bd0502a141306d6388e4

SHA256
95b97f548a622f2b3a465fd1b3109e29ca95e2d76a4ddd032801e6df532c107d

SHA512
abf03971d85478a743d7dea991ad6d49b666b5796cf2cebee96578c36d8dd9035b62706d0732d31210d6a19e66427f41848ffff5caa5dd0d7a0642d644466252

Download Submit
C:\GalaxUL\optixsys.exe

Filesize
3.9MB

MD5
d02547aeea2f8faf0a3ec56bf019b3b8

SHA1
b3782109722e1dcd1f13961be5cac9a1ec141ee2

SHA256
d6738ec33220a7964ec25de8ea1b3beefa4db5bc36a37cb8f5cf231dd87a9e50

SHA512
14289a8d4a7787d1a5e9e0e9ba29beeb0bc8dafd922220f9ed806ddaffc7c8886991dd70dccfd4cba43c63320749623d9effb0f4822dc3d7417bb499144118ea

Download Submit
C:\SysDrvT9\abodsys.exe

Filesize
3.9MB

MD5
d4a73f9ee6445fbc3df691fb27f3c201

SHA1
8d686d99a19943e34fe2b1f54ce2e6a087fe354a

SHA256
2381d4eac6e4d5ced34f3598cd1e1d82afdffe82f03ee947c8b3f0b5cf1f6170

SHA512
276f8c7a40c97fbc33dc62b05616955ada8e3c388daff59308e1c46a1b17b57e9c2a00a1afccd0739c0b3df1daf9cd7edf5271610265689a1a9b94273810505f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
b305b7084826b2289ea745227f8a4faf

SHA1
4583f7f194e4d8e040855c227a00afcd2abdb291

SHA256
8d9cbc7a11ddb4c9646105ce5f580c7b347a61e92c9255dce4dc8f408f2aa829

SHA512
4b84073215b05a25d0a7874d1d7da98825a07183720b4a3fc2b1c5352a7598c01eb5b52033bc80415fbd2f9b685e78f3d4fed59a7f27e2f9ecc2ce7c01c32654

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
df1ff7191f07ef5e4ea1a250daf8b1b8

SHA1
4340ef2cee08e6ab71084317b0f823e1f277e37a

SHA256
d6bc2bdfbdb7d74200144da9f49673387508ad941598d5b1428d102c0f5008da

SHA512
910c3ae04989d1d05df812767a2afa97ae1e60d896cae096f0a5d07de76c6b46956f8569b659ec51b31ffe34b8d84d4cc7ba8f41fad9a7d508b02ee8b204f5de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.9MB

MD5
3707319f12b4ae426e120507bce8f6b1

SHA1
4e09dccc28fd3264cde4c176178b51db94939dbf

SHA256
43c318ddf015dfb3e8adc8647a6040666242342b58ef4a5448215311cbdb35f7

SHA512
2ef0775a0288a0a613f293c8d0e861e9d518383ac9dd9778a967c30a937916c6f7f4a1bb1eb7f4e07b1693c39515e97b84fe77d84c7d3132a4a9d2ea4e1deb81

Download Submit