969373777f286ef1e1b4b272458125017ee07b8c794c3155f4a564f358a85ef9

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
Size

2.6MB
MD5

95779512cc92396444ef9f73d1992460
SHA1

81f230bbdd877ab81aa1e874cd4d513d5e5bab95
SHA256

969373777f286ef1e1b4b272458125017ee07b8c794c3155f4a564f358a85ef9
SHA512

504176831ef0e09b7d2122be3104352fba1b1a67ccef356e0283f3bfc37fa865545685618a39313b8ef31c92ea93766c26a75ea5f147b21111b9b818987fe1e5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUp/b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3504	locdevopti.exe
2756	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvSQ\\aoptiec.exe"	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB08\\optidevec.exe"	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe
3504	locdevopti.exe
3504	locdevopti.exe
2756	aoptiec.exe
2756	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 3504	4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	94
PID 4552 wrote to memory of 3504	4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	94
PID 4552 wrote to memory of 3504	4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	94
PID 4552 wrote to memory of 2756	4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	95
PID 4552 wrote to memory of 2756	4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	95
PID 4552 wrote to memory of 2756	4552	95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe	95

C:\Users\Admin\AppData\Local\Temp\95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\95779512cc92396444ef9f73d1992460_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\SysDrvSQ\aoptiec.exe
  C:\SysDrvSQ\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB08\optidevec.exe

Filesize
2.6MB

MD5
a2edfcea050436fc7e77b477be331fa0

SHA1
83d4053b5654418931b32350cb57c926f29b9625

SHA256
5146f9cacd47ee83322e7a32df9591308fe9c4823011bbed0e4895405ed5fd85

SHA512
42db5cefbd9607e25aeb9da38cb00c044ea8f5ab485eea90b155021d8d1391cac593e72071a4acb28131965e3687d0843672b38ff75dc765ee1837318654f461

Download Submit
C:\SysDrvSQ\aoptiec.exe

Filesize
8KB

MD5
1c31992317278cbfbb062cd4732b9020

SHA1
b2953bc21d0bbd03b25aba4e7b3d56cc63708195

SHA256
0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0

SHA512
a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb

Download Submit
C:\SysDrvSQ\aoptiec.exe

Filesize
2.6MB

MD5
e84ba7230b7de1abf83af2f4b1e99239

SHA1
fa4e1ffc63bd25880dd99b22bca454e2bb049577

SHA256
8e4c2425d3ada775d960ac4a96ac1a012df2842cabb827678b30c76492b1c8e8

SHA512
016b256feb3342a78e54171b74bf98802501086199c75cff07c6d2c25a9135eac4d0e3eec793317ce6eba85286eafd9586f6d5396ea86b8517f7e233fc43d42f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
d362baa3fcc3fb5794ce5f7bb911788c

SHA1
5548a6999a974f6d0ca97b930709b5278ed69c10

SHA256
ffaa1b9a4be1a1df42ad2e819b70fbdcc203137285753f331f2d354d60ba9d82

SHA512
4c1afe57082c54f8817ec928610898dd4be3202856d5b300ac062883fcf1801583c6b569be1f8c186b64b5f06911774c2bd4b586f9b3840f5536beae1fa3670b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
0f51f126d057a6b9669784c2185606af

SHA1
0bbe269d90985f04bb5da37c1d3b5dc0d19705a1

SHA256
68e119c6da4a8748ed2023d83cb003935186316c51fd2945ed8ed4820dcdac72

SHA512
b7d1d50fb5e1803687d29e55fd26c67541d21f333c53aa56b83686bf530108c027c9459ff0a2614994250bd9a096c1cf4391f96a23885a4f323415b9d74420e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
c84cbc3011f9caf68f0aec398d605b13

SHA1
23f0f8bb4e0234da0d1a7e3c8be71c4fb34fe07d

SHA256
6327f9503e07d52dd02bc4cb920c69e0d91328ccd8f3763a3c8a22d8f1de808a

SHA512
c91eb9cd7f9cfa3d3cc1c2f54914a10f659b6d81c6940a4c2e76273b280661c2123f23447ac09b717a11f234c66be18c0e47940e1a34bb7ba2c16dbf23abaf0a

Download Submit