78286976b78ee9796bd76d71ac8ffd7ffaf4d57870bf4d8d733f6b4cf892337c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
Size

3.1MB
MD5

1f781ac1ad56d9bb64ea529d4bb34ff0
SHA1

4c231714ea6c42004900f5776c5b65de77983c05
SHA256

78286976b78ee9796bd76d71ac8ffd7ffaf4d57870bf4d8d733f6b4cf892337c
SHA512

375f30e0b210a48d5f76baaf2ed9c2bf514d976521da3dc902331cc07603254eacb8218f8cca184b11b2faa7ad67ee5e9a6a04890f80c748795baaf37b816125
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpwbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2376	locdevbod.exe
2588	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTV\\xoptiec.exe"	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIH\\optiasys.exe"	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe
2376	locdevbod.exe
2588	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2376	1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	28
PID 1280 wrote to memory of 2376	1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	28
PID 1280 wrote to memory of 2376	1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	28
PID 1280 wrote to memory of 2376	1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	28
PID 1280 wrote to memory of 2588	1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	29
PID 1280 wrote to memory of 2588	1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	29
PID 1280 wrote to memory of 2588	1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	29
PID 1280 wrote to memory of 2588	1280	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\UserDotTV\xoptiec.exe
  C:\UserDotTV\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotTV\xoptiec.exe

Filesize
3.1MB

MD5
941de4f84e12751ecb1580297e8ba156

SHA1
2c8d38e5ea2737aef03177224926dbf869118d35

SHA256
59835f669b5404ad8d152db21aabfb0bbc46c3df04f038190cd79775a320b0b7

SHA512
e5a8e8de8bb7b12c64686f59e8f0b3a32314dfaf4f5890444ec4edbd9eac2218afae379843311184b55f3a914ea360241def0dcdf5e3939788c7a63e721c2c9d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
9740f8b35a0a97da63a0b69d455c12bc

SHA1
0f90aaa1787e8dcb039c8914d1aa280a92bbab82

SHA256
1110363d17019539d56b369bb6880f696b574386317c480c8de38682bf569407

SHA512
19f9c3f917f5566026bc98631a5e31cba266eb1c1efcfc4856d1ba64a8e0f4ec29729663a18b194598ebd8b7f8ad57e0ee5876d7b61f75cc6aee3f7be4cfd758

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
cf70dd567a85e32aa1ab1f58017fb053

SHA1
e89126c0527adee2617ad38f3c05122ad0e737fa

SHA256
680786d10f28f30efef57490476265ee147044d25209258a329a584f910314fc

SHA512
bfd84b397e06be9e6999d423166862b28e08c3c9e36accbd5d68bc9225eab3e7c5e03815ac0c77321a81f38adf11cca5ea972ec21aa06bb2a17b3c139aed86c2

Download Submit
C:\VidIH\optiasys.exe

Filesize
3.1MB

MD5
c447872678b70ebcd1893c2caacb5f5c

SHA1
9276ec97c73a41f233ae3969e5594adcb96aedcf

SHA256
557cd5cc54704a8cf3c787cb590abb9ea2b2e98f46eb5d29803cac52c341f737

SHA512
a8de94a1e1b28cd9f3d84154b3d94e34bf56a38d68128ffea3e44a12b3f114caf27bfca16cfdb07b3d567542e543e1b7378b4b9bc2884a37f54df05da4385a12

Download Submit
C:\VidIH\optiasys.exe

Filesize
3.1MB

MD5
7c9a954c89be86f0b3708bc3a6a71ce2

SHA1
cadc4fab7f705d25e8702ec23fea6b0d0ce7c779

SHA256
6d6e86d08323c97f2e748d565e1e87fb50df21636788acd4b51598d0a2a79213

SHA512
4373eec7a741faa62f506fc888699524cc9061daf7c31d1be78d122e79bb98f657fe5b6f96def4be26df1ea1ba671ab5932b3e8c63e17605584b33271e6a4a9e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
3.1MB

MD5
1a70739b6e63fa1695c48a11f46924d3

SHA1
31ca40de3c5bafcf7cbb954692de00027457836c

SHA256
ad981d85b2528b2f59a3c8a6d9d995e906d53556d9bd837f1584e3c82631d655

SHA512
1837ca4e0021cb67e99c605a59aea32b6234fedb1502384bce579c9ca3d2a75a35bcb870704ed8a0d196f54ccacf9dc26a3e3493c08c10e0374e88d295af7f82

Download Submit