4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
Size

3.0MB
MD5

aa3c13aef990e8df9ce2d2ff912533c0
SHA1

abbeec86b7bc6318ea1e5a373dd46edf5f993252
SHA256

4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752
SHA512

a137a8dca379e3d7a15817e88e5e10e176410fe1a04d040149c7f82b83fb25e4f14a933a44dd97d1d0bd8d7699a88d72585dc6f7c031e25e7624103005d79b61
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8:sxX7QnxrloE5dpUpcbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2916	locaopti.exe
2208	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4F\\devoptiloc.exe"	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNY\\bodaloc.exe"	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe
2916	locaopti.exe
2208	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2916	1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2916	1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2916	1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2916	1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2208	1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	29
PID 1992 wrote to memory of 2208	1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	29
PID 1992 wrote to memory of 2208	1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	29
PID 1992 wrote to memory of 2208	1992	4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\SysDrv4F\devoptiloc.exe
  C:\SysDrv4F\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrv4F\devoptiloc.exe

Filesize
3KB

MD5
1277107cabcc016a5fd1f1042e36a2e3

SHA1
d7f8e8f7a16218d6bb1dce7bd03617500801eb78

SHA256
8e909b1d2c6f2b50ac77632d0c29bee78baafb5a1b3d23226e037507fc026273

SHA512
f129adcdeabd08d93ae5036fe57020e5d0eab6c1565a555dce876fa729326075b333ac31bc8a7973c21d03d17b08334e1acad9033a1e66962d79780e301afbf3

Download Submit
C:\SysDrv4F\devoptiloc.exe

Filesize
3.0MB

MD5
5089d06aa7c85cd6a0a833c61fc72470

SHA1
ce7bfe700a67d7cae336b1cbbc12a32071aac516

SHA256
53f181c03a2ec85ec8afc05a214d977d29335eff0f85581f12e45fe153611147

SHA512
99b4ed540c3f5309dd19bb5c72309080cd91375ea84527e9815c953385224c24ad456fa711be55a398d78d7ce8d11dc84d7b9075837257c5a464772361df91a1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
fbb24019c8e7c1e4aee8b89ef33e1d7e

SHA1
b9504943f6dd5c045339229832e7e88f4314d456

SHA256
f55691f539c59a4d051bca3af2fe602ed880d2a9434dfd8a79b38f491ad992ea

SHA512
89b9de2f39388ef7d0c313f04c39015e177f436d3aebe3faac9dce78d15c0c37e00c2bdcbfe0ef59eeba343b10b540e02948584b93b9ea827d6d0907b350c7d5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
9cc68727ec8ed4931ffbdede1f120caf

SHA1
06f32c5c8951eefcd133d1b8b08da4bb2151f4a3

SHA256
8c46ff9071f3b7b4c59136fbc469ef7240d2652e56e2f66d09b7e34c254cf817

SHA512
3fc8a476fb59fe16fd3b6d8d1f6af769adb21724532142aae5c6e16c58b418e11ebb28c38975dbdfb8f7c44f46c90e94863316898a131763026c99263ee5a20e

Download Submit
C:\VidNY\bodaloc.exe

Filesize
2.8MB

MD5
e96ec0a8e9ac44f71ae6929605c818f1

SHA1
ddba51447571b7edd819037689834b034bcfd684

SHA256
671b8765bf0e05e4d8b114c06eddf3c5931f88d6f98f69fe9bdbeac7dfdf4a42

SHA512
dfbe0fa4bfb632164e868222275e881af1d830e59d9a22f4838887c7f72b52b4db972c59e0802420f247e19495c3c16d0a35babf18918746406c8860f3c53b58

Download Submit
C:\VidNY\bodaloc.exe

Filesize
1.1MB

MD5
9e6defd03c74ec76d61ebfbfaf5bb658

SHA1
14177fe671857e48f85cf63e4b40a88e89e7b87c

SHA256
ff91897c82cfccdf17b2a9b9f39d8a8391add44de937284312b2730ce7bed682

SHA512
4574028d239df4f66f9e964349847d5eda6b8f843e0fd38da56f63faf706539fb382e2df226e037dbdb44f7aa050a230fa6a8c33f8661ff56d1bf254c35473aa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.0MB

MD5
cf9009da3e613a338034d38c21889c22

SHA1
2b5ecc75f75a6215cf034e5bab807cc836bc3932

SHA256
eded8f6f7ff13632d4a258baf04964d28317286d75ba790f6f45d843a4a43c4f

SHA512
daf2ce743c4556afc9168458e155c9aed333df4cc9d93bcb7cec82523fada1b0e0b22eea09ed40b54203dafe09fb7f658904ee723f074601f3a47622ac9e18b4

Download Submit