5403637ed6f07238053f6da22143d5066cddc7cd0528efeb4689f4994143db9e

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 22:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe
Size

2.6MB
MD5

20e5d192928ec468fc4c6e5e99c5d600
SHA1

146a6e386fcd6412f0022c4350cca74d010aefbe
SHA256

5403637ed6f07238053f6da22143d5066cddc7cd0528efeb4689f4994143db9e
SHA512

a146937a87671ce056b3867d33e193d2b0526c0f694a7d1f9bec6b53533d77b92e367e762921e33e6e143945bd2e22318f94126ede68310967ed8f0eb2f89f53
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bS:sxX7QnxrloE5dpUp2b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3460	ecaopti.exe
4508	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLO\\xoptiec.exe"	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGJ\\optixsys.exe"	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe
4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe
4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe
4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe
3460	ecaopti.exe
3460	ecaopti.exe
4508	xoptiec.exe
4508	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3460	4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe	85
PID 4484 wrote to memory of 3460	4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe	85
PID 4484 wrote to memory of 3460	4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe	85
PID 4484 wrote to memory of 4508	4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe	86
PID 4484 wrote to memory of 4508	4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe	86
PID 4484 wrote to memory of 4508	4484	20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20e5d192928ec468fc4c6e5e99c5d600_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\AdobeLO\xoptiec.exe
  C:\AdobeLO\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeLO\xoptiec.exe

Filesize
2.6MB

MD5
b97b7f402f2d46517005c268a3d8b0ec

SHA1
413019f34ee1c222e9d23145232e2b7483b78816

SHA256
48a19a4c11495904d49d831499334abe34ef86c97433557534b12dba63f6e254

SHA512
13e1793b71a79760cdebe8ca9705f43660387f8a4d6a8a801c0a7e68639a867b391c8590e9adee4a509c771850dbb6834ca534a9d595530d6b9c39d333c06af9

Download Submit
C:\GalaxGJ\optixsys.exe

Filesize
1021KB

MD5
f42155cd4a137db1e4dac8e45976d258

SHA1
862b5c80bddb94e30da82b22679bc75909e75190

SHA256
1a2684e78d4da6cf2e5be7624cbe60bb56040db6ad2ace67d2e42729609efa21

SHA512
8724bfbc26b591216ce45df7a790b9f296165ad68477ac5e7eda7838cd76f59caa98944884def4ab41d4e52eb503094bc8cb7cb0448cad5973c58852311b37b4

Download Submit
C:\GalaxGJ\optixsys.exe

Filesize
2KB

MD5
c5cfe1fb3ffc85f6f58808a90a25e91e

SHA1
ea78a58a967d2365305ccabf1b39b6f7b0a0b7e3

SHA256
50c90a817d63d059b816ac95af37989df34e48ec70ef2acc583abb3cf31cab51

SHA512
5dc1e22ba14edba2a7edf8e9a293b062eaede2c7b009297aaa3b1e6a770471f162799a9e1d7fa3d802fcdb3b64c0c79bb4ebb9ef8c89d0aa31f21e642d728cbe

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
d8edc6807296c7775369ff858ed464fa

SHA1
ea9fa858e275ae564de272d1053cabd05c2b3f9b

SHA256
7b8b272f329ec28cb7d5b3596e26b9051853c702941230f37953f90389661d25

SHA512
c1388a0c5aa84291b09c40e80c6f8a7eff3112aa9115b930903e83478cc3c978349b51fde1d8fa51f18aeda9d3e645bdb1e17fed4dfc1f0b71b1275caf67d5f0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
6cb1ac5e4cea64c37247e4945fedec42

SHA1
aa29600b765f7afbc8994fcb6ade70c4e9fe7451

SHA256
b4ac19437dc5b4757fde53dddaa90fb909e4d05c6c45f5b07a52e0e8a59d36bd

SHA512
ea278aa7dd9eeb0a1fd4f2c51ea6b19280af518129f5eca43e1013c7e59b8e66a20495e7359a7315952360dfd39b791e49d4c24b60e2b4ef9edc761d3b2007e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
4e13b5458c2adab9951237af7255f810

SHA1
a1dfa3a285add9dbc5d756c98b2435bb891b5b77

SHA256
efed44c9e426cf3a809f1ec3814eeb6147513709e190813840b40c9cb2693399

SHA512
e1e3db3275329011d6d08e65772b06e66c7396ba474be1135161bf2741f71c0b7633652f85d45e280c08ee2a9d9200afabb9fce6e749e4dcae5867d4f986b0fc

Download Submit