1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
23/06/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
Size

3.9MB
MD5

4f90d7054ab313f8b7e02c63fb3bf6a0
SHA1

8166579a770cfd69805ef2158218960a8087ef34
SHA256

1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913
SHA512

26ccea2e76bbe15b765cbe3026e971b0e107d87541f81c5c3ecab436bdc45b6b6a6735eaa9aafbbfdbc514916b51c2e21acf8a293a25b62fe635a0eff7c170cb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpubVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1080	sysaopti.exe
2204	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7L\\xoptiec.exe"	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBK7\\optixloc.exe"	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe
1080	sysaopti.exe
2204	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1080	2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 1080	2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 1080	2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 1080	2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2204	2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 2204	2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 2204	2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 2204	2020	1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Files7L\xoptiec.exe
  C:\Files7L\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files7L\xoptiec.exe

Filesize
8KB

MD5
b6a3be42755c871ed4a546b6cfb8e5e8

SHA1
45db3ee8541418f154843d4a791071b3c3c65177

SHA256
1b3fa51ede60d19459b442b532eb4b1d11097bb17170bf5ee14f3ea9b861a657

SHA512
a8da5f15c36d992cfc7ca775a317e0993eb466cea69d4ada5e081faf4966bd49fffeba4f7da600f3f85df157c088f8a8667bf63290d81e9aec5b08b27cd1e42e

Download Submit
C:\KaVBK7\optixloc.exe

Filesize
3.9MB

MD5
3ddb28cf4b939774abdc6e7d5ab52274

SHA1
59cd13bd4e0344294470d1d2371a428213fed91a

SHA256
dc5a97305580d7a2a5ad5267b7bef8f6030afff4fb335b4cf96768c77ee2669e

SHA512
11deac8ee3d94a12f9613be8072fb10ad27fcfecdb8bebbcc06152f2f9a0d1cd42c04baebc701b592635e3890d6bb96dbf2ab7883fb3f2dc7f67c1ff3abd1905

Download Submit
C:\KaVBK7\optixloc.exe

Filesize
3.9MB

MD5
3a69d27bba2a78c1427da221e130e4df

SHA1
b55aa68414a4943cfdb0007de2476e6165bb8dca

SHA256
f0a893b1a656822a892ff64747dcb9ff7c717fc7a4376ec7719cc08c11778c9d

SHA512
1f893e4d3de82bd1526fcaaac0335a3cc27f4fd48ea39212764fec2c435da9c9c88c84662749054da6f5754f2a97199445d4f84f0ab694c5d9cf6d8ffabeda6f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
2e78fef0b06d7f55e1326a0f0f631be4

SHA1
d5922fa63b2f5482b75380699bd81a34d0a22978

SHA256
cefa38b64489eb2ba28489ee1a5afe81709ca9a1c9fc786b26456a2ad4d78d65

SHA512
45a465bc05a9fccbfdf8dc411edf44349e09b7a52d383af8bd6216b291629cbf47e67535cda5530b37bf1f9c7943bc102079f7c1863cbffd6e6c1909bcf4ceaf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
04c5f7c995fa0646ab5de9f9f760acb2

SHA1
14a2c8b4c5da876b9952593be8d3ed46c38a7c4c

SHA256
e316caecc4faacf02870f84bdf4267065b431612817a156257171f7803e240f0

SHA512
982868714fb7a461ee690f7bb581c4929a14a5297bc2263a7dd0e32be9ef78ebb64d9c6d034875b65e7ecc1e5696c2091689a1c614a5019ea7875fdd6db08d03

Download Submit
\Files7L\xoptiec.exe

Filesize
3.9MB

MD5
6010150fac7876cebe73fc6d79863486

SHA1
23ae1f2a80e5ae7e53eb96cdc6a55b27979e7231

SHA256
f1a5c418ba1c83b3a6376c43d88230bfa82e3ade07040ffb52451ce7638a91c5

SHA512
368bc38de4b6c44baa785bb7eec94792931c59ad91d4bcf44509dd4257ddd70fbdd1a7be256d585dca0c07163cf6ccb25810b17dcf53bc336a176477ee52fe58

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.9MB

MD5
11f679a0788055f278c01901c1d9af16

SHA1
041549fee3a533cfdce40f39c8dcf58a538493f7

SHA256
813581f7028b044e041f3b7dda95464882b74a4b6ad65e84214db31f65cdb0a9

SHA512
17c7b22c85ec2d5c6fc9151f61832d32c62cc87e4fe17e15ad11b23b3ffad814aecd10b502e13cc606c1091a87e164d6ca951ce6c15915f35af2eefc68debea6

Download Submit