3f4957f84cdc65da61f8cedf739e25756a09e298edc81c8f92fff939e788a6ad

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe
Size

3.9MB
MD5

1263a8ea817602dabb69d2fc3d3aaf30
SHA1

becf48bd7a7067793b58300c76898461e30bee8a
SHA256

3f4957f84cdc65da61f8cedf739e25756a09e298edc81c8f92fff939e788a6ad
SHA512

c525a64bf4a5aed6f7d039232fb209fc8dc217d76c8b70488b17e906d7494f6da6db34b21acb2ad0bc20971fda217cb645072512fe01fff979b55b0fa52fee08
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8:sxX7QnxrloE5dpUp4bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4296	locxopti.exe
992	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvD3\\devoptiloc.exe"	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAF\\optidevec.exe"	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe
396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe
396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe
396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe
4296	locxopti.exe
4296	locxopti.exe
992	devoptiloc.exe
992	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4296	396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe	81
PID 396 wrote to memory of 4296	396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe	81
PID 396 wrote to memory of 4296	396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe	81
PID 396 wrote to memory of 992	396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe	84
PID 396 wrote to memory of 992	396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe	84
PID 396 wrote to memory of 992	396	1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1263a8ea817602dabb69d2fc3d3aaf30_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\SysDrvD3\devoptiloc.exe
  C:\SysDrvD3\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxAF\optidevec.exe

Filesize
2.1MB

MD5
730759a732f6714db43f72dbf2ad62e6

SHA1
7db0f66628826f57dfd2028a41159c28be9e002d

SHA256
96f8afe0c889bd705c765e5a1786ceb404ff4733b9416a5b7960553ab4aa67ec

SHA512
bc36a273d7bc06727b7c8d640e2d44c23f226ce8515ab28e07fc9b89cf2245fc150df59409ffc5fe045b44d986abefe88e5fc1b6fb4ca164f469419aad754b6d

Download Submit
C:\GalaxAF\optidevec.exe

Filesize
3.9MB

MD5
e58d099835604868c0b2827dbe79001b

SHA1
df273ef975f0f811cd0c7ff0d15657f4020b9d0a

SHA256
076c7880f810b8e0759f681d7d0af8ab29d386938f658c3445e32bafe0ffca46

SHA512
b43afb6698fa47055943e53a478955d63f78f47a09b1ebb147472a967264a5be0038596f0241da7234cd597c013848639c37827f2d76d3efa8824d43da38da01

Download Submit
C:\SysDrvD3\devoptiloc.exe

Filesize
3.9MB

MD5
5d21ee8d88fb4ff4bd5ff8663ac7032a

SHA1
190163b1babafcdcd2bdda1c20b5097350fbf491

SHA256
5145d09ea86813750b84c127bbfa96a208d0640938a3afbf433d6f64c0e21f8b

SHA512
0bafea0a2eff8c0236cde681e1fa2ba2aed33dabfac81ba162c99745e532012d1e5fcd71e5a05abc6b909311a81215dc8a6466014c5bab4ba99c3cdac71e4fa1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
5912ebc84094d754e6dd42680cbb6a59

SHA1
dc953836884add45384bd8ff98d6eceecca01dea

SHA256
041fe29e740fbd078e72fe2cf64399746b62884a6c3751dcdec14370f86f0c93

SHA512
850c18cebfedcfffd543256e1df8243c6fcf13a71dfdbded8cfd8d1489af3c752789226865344778bd8986b0836e19417b0c2dcdccc5191b7ce2795a39d1b308

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
9c4fd94761088ff14a84ff9bf11e8d79

SHA1
4637463e4dfa9c8dfc735b89002454c1ef588250

SHA256
af91878a960c58f0577d7c13f3aea21bbed3a2bbf86e08101eb56bbb2194f164

SHA512
bae7c541097ce635fa992257166002e87e1dd32139b4c53d77e65b5b279366ea05c84c200ea9d148f7d31a1a2b02f2a2084af23234759e1ccad385aded072e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.9MB

MD5
603ccb62c58394bb3895ee7a07879413

SHA1
d416bd9670225a8a55adcb1ee9c4a9d05089be7b

SHA256
b67fecd3fe51da420da04b7fa98f133d8a58b19859431518b504acd3ed209cf0

SHA512
187496594949bba2d0ad4133f4515d834e4a9cb6f5696c69baba25bb90193ba8936ad6cf64a23121bb61157e9d0cec511b42797271b4dec42b2cb63181d7e937

Download Submit