54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
Size

3.9MB
MD5

a17bb9e0c99ed82d091d0e8b59184820
SHA1

6f75729eab33671786c577a1caf3bcfcdea546cd
SHA256

54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5
SHA512

55bab14d5d4d06d3ac860e442abfe08117946dbed9f2cdb24f6518a2a0e6acbf04e057b6fabb5a06ced8f21fd4608feba00c2cccd2c4f91dd0e3f3583ec12b03
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8:sxX7QnxrloE5dpUp7bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1196	sysabod.exe
3600	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8Y\\aoptisys.exe"	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEQ\\optiasys.exe"	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe
1196	sysabod.exe
1196	sysabod.exe
3600	aoptisys.exe
3600	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1196	2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	88
PID 2700 wrote to memory of 1196	2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	88
PID 2700 wrote to memory of 1196	2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	88
PID 2700 wrote to memory of 3600	2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	90
PID 2700 wrote to memory of 3600	2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	90
PID 2700 wrote to memory of 3600	2700	54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54b2a176a5cbacb8b7a656b18bf46ac1e39c8374dfbdc3b08b62abf417b747a5_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1196
- C:\Adobe8Y\aoptisys.exe
  C:\Adobe8Y\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe8Y\aoptisys.exe

Filesize
130KB

MD5
2bd2d734379f61886cf07eebb27b0ca8

SHA1
91472569499f827cbe19ff016838a117ecb84a93

SHA256
bbb26a27098ecbf15a05ba19128b9deca9861bb0fb87ca6500bb227512a5a279

SHA512
74f8f0ac0a9af1ea2fa41dd2721cc4b684be19d9677ec0b1ee6f8f350b74ded242be2ea127c06a7c1982afea5b39706dcce065146743da4ff48776b7e28e1768

Download Submit
C:\Adobe8Y\aoptisys.exe

Filesize
3.9MB

MD5
23559364bc56ec866708431dafadc7af

SHA1
18e97d7f2459d852052635701901eae5f48873dc

SHA256
5ab499c5973cb45d2ec7fb0cae4d39eb1e603dec5874634642e83c5bf284ec7c

SHA512
312d6477953fc4606820d7f2563ad2ca92ea04c793c04f81197eec45d64238a8720c58d6660d761d5a3c1c89fe3022f97ca72c4a4289020917be920f9ad34a63

Download Submit
C:\LabZEQ\optiasys.exe

Filesize
3.9MB

MD5
b6509460d417c9891b10dd79da18ea86

SHA1
825fd5b186746c014848fa2e344ca2b4869f6095

SHA256
9de8bb1c0e677c249a22d276d296b8a6057b757d122d0f2594f9ca25006fa65a

SHA512
290a6f26c27b595df2809c6876a4b3ff5fa1c4f62706eb3c7cc0812279574ad91113329722fce5da82e21e43b29d654a4660c172e956c320690fd65f86bf8416

Download Submit
C:\LabZEQ\optiasys.exe

Filesize
3.9MB

MD5
dc2724c1cee1fdc199790953a9ce311b

SHA1
bf2bb8112c6fb06097a16f595d0d54f31fee18f2

SHA256
b53bc60d08d57bf142299e5ae7a152651cae9604255c38e3eebd15404708c831

SHA512
2e95d87f518f0f8bbc5ee2334373384d5bc2a93292982243f4e04be002dc97123a00ccff7a0a3b9ebd009f581c12a6c17cebd3f0661740174c9dcbeea8d95de9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
9ae30b057b99bdf9266ab5df90f26207

SHA1
7f3f11eebd84602f8ca4a36d9e54fa2f49b42139

SHA256
93f9207c0abbac64bd37122ef69d68ea0f54ae9aefa0732bc31864cf9925c27c

SHA512
63ae93fab8a173d9ecdbcf7d90331e452e5dd49fab38163f02af33626012db53f875bc9766e0588678fd983c71a383474b9a9ac7f24bb0104d5e9dee311276ff

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
297b332f8b054711989abe75574a965f

SHA1
ac81589c42e8f8a771a0122df6a8743c446c7e88

SHA256
f16dd6f5847a16d53e3d14827c2d2ef2bd5d314b551f8437233fc35277a3d133

SHA512
34e38e8e3d4abc0ded9334ce97536599249016331d64d3893f4eb675194217a2620e51c0f6310771c82316907ebe88428c0c49fd29dbcd2362db7352c836cc98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.9MB

MD5
785ba1cea2e648c09411194c22e95197

SHA1
765d842a283439956f35a559e78e5834a586dc58

SHA256
3bc64239e42b5ce678deb82769749ac492eb9eb16aba490bd2a7d2c90b5b57ae

SHA512
3ebc126f01063835959aac32e472321438104c25909ba52ca8f5c52ecc9b4d643dda19fe1b05cd37d6442be957a4bff15dc9a2bd0b3f6e37856199fef961a334

Download Submit