e1c20432976ec830caac458fe0f1d82ada97bde115b1ecec36c1a082ab68336e

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe
Size

3.6MB
MD5

26fb7387092258ab4d6966ea7cf83950
SHA1

6bd3185a8ac2ec7ce099749e0b3c00965b918ad8
SHA256

e1c20432976ec830caac458fe0f1d82ada97bde115b1ecec36c1a082ab68336e
SHA512

8e42c14e07d6c4a9998fc0532df24ffcdcc2e7da249f52b79b70882a858cb2f9ad01eca22a0171f9893ba8c8fbc1fc45b467cb72b2e83390a0735c60fda2111a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	ecxbod.exe
2352	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe
2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZG0\\optiasys.exe"	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2V\\aoptiec.exe"	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe
2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe
2904	ecxbod.exe
2352	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2904	2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2904	2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2904	2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2904	2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2352	2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 2352	2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 2352	2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 2352	2020	26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\26fb7387092258ab4d6966ea7cf83950_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Adobe2V\aoptiec.exe
  C:\Adobe2V\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe2V\aoptiec.exe

Filesize
9KB

MD5
069c7d5ebc20ead441519fc2807acdfc

SHA1
94eb49acfddc6450c4810d85271299b49f964a2a

SHA256
af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f

SHA512
91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9

Download Submit
C:\Adobe2V\aoptiec.exe

Filesize
3.6MB

MD5
4e668b40406f5b6a2796a8dadfd0dacd

SHA1
cc44f185c80e0cb41b5d85c46fda7743142cdb97

SHA256
b6eea51f670183f3df378829f5de3d63f6c79d1e29b6ca5ac8afb99bcca20be4

SHA512
3ada2a57b29fe8d00fac842235338d8e1f359edabbf8bd9f2858b7024493df10b8f468f486169cbea44d8afc5555c62a79284676255d96eb68c53d9e61badc3d

Download Submit
C:\LabZG0\optiasys.exe

Filesize
15KB

MD5
10e6df3619bbbd1a2464d5000a56fbb5

SHA1
9080f324c059847c04fbc434d62d8ab2e06140a9

SHA256
e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

SHA512
9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

Download Submit
C:\LabZG0\optiasys.exe

Filesize
3.6MB

MD5
1b21c306f105051a865a471b29f8ad01

SHA1
baa27b851ef213f060926a5098fe9849e6d4a720

SHA256
1f1c6bfea66690dadd7d7dc61e8ba658f32713591516e742419e278df4ec63dd

SHA512
dbc0ca1842d0b8fea14484b47c826cf64a1990075958352c8df6e9fb3d709d2515730656054c54e314237ab531e64ed8f42d8f058f2148668e002b5c48dac7ca

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
81717bfd3cc7532ca415d171df7fd533

SHA1
7e5df5ad724d5d540d249daa5d306689f470e6bf

SHA256
7162f8ff32186e23a4af6d2afdbe858150ebf385090889f82b3b7d446adfae71

SHA512
fc9808453d343bc3c31140d573c23932c6c3d2709a6da59ccabc7b1faf20cfdfd49dd790b454c6ec807da044760a0a0c5690f639e2c5da4da89cc41d55f6edba

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
58502fc9a2b66f10e1ffdc01cb0c7668

SHA1
ba1b2349061ca068201a46e7b6f88e7d0889b3fd

SHA256
13667dc6fc3d501307d422f23e00bc6ce01b184cf43da4db85acc1c89c9dd45e

SHA512
f95db64b484bf3073d7b455d04c9f1a5ddb59278c74dfd8db11cf532adebd208fbb03a604cfc26a814223435b384c362ed2d9ebcd7cc909aeb8b6bbc505873b1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.6MB

MD5
b112dd1e06518285d254fa2e85a41205

SHA1
79caea394fb7291c057f05a21916ec966903031f

SHA256
80b0687dfdb03e160eb3e3f4f4ca0d289da94d75056f7fa7b8d75c838c9d443b

SHA512
022fe5ab87bb26ba3e51e8769664d241517a626291d2f8cb800a4341cde519f03cd4f64e081fc46197cadabcf72fa9fc97ab2644af5c8d3d1a36065bd01543b4

Download Submit