78286976b78ee9796bd76d71ac8ffd7ffaf4d57870bf4d8d733f6b4cf892337c

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 23:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
Size

3.1MB
MD5

1f781ac1ad56d9bb64ea529d4bb34ff0
SHA1

4c231714ea6c42004900f5776c5b65de77983c05
SHA256

78286976b78ee9796bd76d71ac8ffd7ffaf4d57870bf4d8d733f6b4cf892337c
SHA512

375f30e0b210a48d5f76baaf2ed9c2bf514d976521da3dc902331cc07603254eacb8218f8cca184b11b2faa7ad67ee5e9a6a04890f80c748795baaf37b816125
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpwbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3636	locxopti.exe
3668	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWA\\boddevsys.exe"	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPR\\aoptisys.exe"	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe
3636	locxopti.exe
3636	locxopti.exe
3668	aoptisys.exe
3668	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3636	3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	93
PID 3508 wrote to memory of 3636	3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	93
PID 3508 wrote to memory of 3636	3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	93
PID 3508 wrote to memory of 3668	3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	94
PID 3508 wrote to memory of 3668	3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	94
PID 3508 wrote to memory of 3668	3508	1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f781ac1ad56d9bb64ea529d4bb34ff0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\FilesPR\aoptisys.exe
  C:\FilesPR\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4296,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesPR\aoptisys.exe

Filesize
3.1MB

MD5
21d3fdfdf0d0418de444190bc1a09b8e

SHA1
86cc00f5df09fc3b90c99d45991af17fa4fd2dfa

SHA256
45c1036e4fba434e5a5ee402cfd105b71f809c70dd8f6e750494a328428bc005

SHA512
8a10c76ae759635cf0109f232a232f6a8f5eb185e08cc5f927023a0eff3b131cb9053f63ed584a44cc4f923b94c85f6f3086871eb32ac93f7b517d489b0c9d6f

Download Submit
C:\KaVBWA\boddevsys.exe

Filesize
3.1MB

MD5
720b208f6ef990e8633146719c160d5a

SHA1
ef0aa8e92c6c0beb22d2839844eb72712b4a2445

SHA256
73030a8583e83db5fa85043c08373353d72366cc29efa06de8e64b1481c5a37a

SHA512
17a01a4df0f9d56b936c69237be92a427f22c544ed85c0390f1f3fa088910064f9663daa5c74955f9256b46f5b020a678ec1e312e357d1b015d901937695e0e3

Download Submit
C:\KaVBWA\boddevsys.exe

Filesize
3.1MB

MD5
22b94fb9e64676d1ef16c9a4113cd555

SHA1
efec8e5061b65db0163663d3ef2a722e8ee342c5

SHA256
f82cd6c535612a8959197225731fdb84bf5e3cd0fc7df2c68792dd453f2f1471

SHA512
426a300630854203745559f30a0e785f37dd15ce307d296da98c67d80d31fdc3baa2dd6367c9b03d01ccfb266b32decf25b8d7fa55633468de4e02cc7f768db8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
a5dcc73c2aec670a854c927a147369e7

SHA1
56e257164c40d4bd6555fe667cd800bcf79ab369

SHA256
4a9ca6e9354b24ec3795d09e012ef37f630382482d3eee9738f02f249e9f86b6

SHA512
578be5803c71aef690bb352f47d36783fb86860d9096db30160c632f236cccdb1c0e9b2e55bbffe868be25204e889409e3233a95cff12e81b9afe902d9a80a3c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
79d8153a84f715a4cedee2c62ca3901b

SHA1
3cffe689a3bbf77e7cf2c27f0f3332079546d24e

SHA256
32373fec0c6377ec78ee5aa7e44260b209ff8bfe045ebbb65e4e5e838138d091

SHA512
c563f39e40ef1974e792ed4e882ba5d07b3755e61b6f2b1881028c5182f4b14f758f5003828c6f6f6b89602ae7defe213762eadb117fe62d1b15eb7f986c00ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.1MB

MD5
c36dca4ac451a6b3c1a95bed92c78132

SHA1
3c41d345e8236a918f42ccc40652176ad6a5f568

SHA256
56b820b3edf6e0ec390f6941461800aa193451f9847d987fbe19a20528c076c0

SHA512
258919627f91d3bbdf19083b6775f724e5e0d93566bfbe956e687673595bb00ca158106778d59e611454264d29e0413146eba8a796e654f08ccfc6fa67479095

Download Submit