9e07639e1f063dc70b20af9bfb469658064915b0c814494f12cc28c1348613e8

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
Size

4.1MB
MD5

89606ea9cc1e017b813d55868d8bd980
SHA1

aff596ddbb9d76ad31411df9166ba17bea8c4ca3
SHA256

9e07639e1f063dc70b20af9bfb469658064915b0c814494f12cc28c1348613e8
SHA512

c95df2d0739539a6edaf8cf29477590be14183d7a910131d1cdceb3ad195dd11067ae69fe3be2a15db4e28af6ee0737a4c539730cbfbde5449ffeddf51605fde
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpcbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	ecdevopti.exe
3688	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9A\\aoptisys.exe"	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQN\\optidevsys.exe"	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe
2736	ecdevopti.exe
2736	ecdevopti.exe
3688	aoptisys.exe
3688	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2736	1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	93
PID 1832 wrote to memory of 2736	1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	93
PID 1832 wrote to memory of 2736	1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	93
PID 1832 wrote to memory of 3688	1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	94
PID 1832 wrote to memory of 3688	1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	94
PID 1832 wrote to memory of 3688	1832	89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89606ea9cc1e017b813d55868d8bd980_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Files9A\aoptisys.exe
  C:\Files9A\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3624,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files9A\aoptisys.exe

Filesize
133KB

MD5
8b8eba3fd22786287dad260140dde5bd

SHA1
9b44fbbbfd2a82fbfbcd9853b584b172b9f0254e

SHA256
90d217bcc575273cb7c6dd241cba9316d854bac83b24e621948ee330beecd01c

SHA512
57afd4975e26c944ac7d7286356f7fd43807347713eb1bcce49c3a4148cbe1439b89b12c672566a8f21469285659c298998a18f4aeb881e079c6199faae929fa

Download Submit
C:\Files9A\aoptisys.exe

Filesize
4.1MB

MD5
bdc8299d6d331112e437275117474551

SHA1
bd43ec2828b24dc0f6f8e5e46149811c461e97bb

SHA256
f574595dbc9d0b30b9395616280f91e9468ab78b1a2fd36852fa2375a6c5d6ac

SHA512
7a8d4cd5d18e8faf04571adab81491f53d546554bbfd09dd914620a96c849449dda51432fdd4609748415cbeb6a62c060819489b84016fd5e6a78ec1807a1782

Download Submit
C:\LabZQN\optidevsys.exe

Filesize
233KB

MD5
357639bde7c2ca25a0c995f8d1edeef7

SHA1
a0eee62359364c8f85916fcba640399f5756723e

SHA256
dd1e47868e4566bc67c1571f57dbdf55c9080f0ca4a2a7d9b9e16ffb0e6b363a

SHA512
3165c88c071709b5cb87185671caf9bb27f33cb8d1f2550ce35f491c025f0d15c45a694c0ced3b259b00fe2d4e0f64884c99b8f65c92b625253adf90700d6e73

Download Submit
C:\LabZQN\optidevsys.exe

Filesize
3.1MB

MD5
a5990394f05221022b86ee84d26a45c6

SHA1
e18d73c9864f3ecc1b2f1e9a5aab07fcd54bf353

SHA256
32f24625e2787c711548713ae907f97a298cd2d188d4c022727d1ba7d04edb5f

SHA512
38413787189f433de2d2542713dc4fda100aeb4ab89f14f1495ded2341fa4bae851a4b92cde232918b6d25d2a58aac2044a3ae3c22b8903e4ad67187d9dfd26b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
edb48d70f8ef0fee69ed2c28e0dea56e

SHA1
1ea09953d2e2fa9f9b246f4f9d8892eaaacb06b1

SHA256
6f1f57a50b48fb0a78db09c248047a2f4424e2c12a250c3132579475e9f4bb62

SHA512
d0ca79104867a7c0b5e401c4876d18928948ca7f04cc9dd90872859675fd572880543edd9cdd8f8f414ce8e32139537342a638e8ffb45f4dea0f8155cefaad2f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
1bd84585ed973739aa58b26371a9af8f

SHA1
6d43ec9fa20f362d4755dffe089afe0e7b09c4aa

SHA256
8a2c0a883c93d16d750f18fe4362dc2730f8a03a4861b5d24e1885f575c7808d

SHA512
104dd5c0cfe43ea344a10657ab1740f0c382ee0fa607a362fce35d9fd950c677bd39863a28a3c0dec8619921d10d1e03c1bb1c8772b75e09ac8644f06be78cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
4.1MB

MD5
a287b5c6e4a0759a684eb8f54f732c66

SHA1
f55247bd22e1d496565a70747f9a9a0154444cb5

SHA256
dafc81bf2b2315924a7ca8472c1b89974e5f239f21bbdd407150210496633fcd

SHA512
9a6a71b0eb28760345321addfe28c6fbd4545349bb8b26908b72e19dfd2898e31f1b5cd2df5019bd498dc988dec58f07eec02709372b87154560322383186df8

Download Submit