8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 16:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe
Size

4.0MB
MD5

7bfd20db106b80d913739d6cec3e8e20
SHA1

e190085bbcfaf96228a58e4c19c210b9a2672afb
SHA256

8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc
SHA512

143d4080d835fd3672241c51af2e458f0f329cd64d477be690bd054c2967e7f57a0c477b8ea73ca29f5766eeea66f103d51c25b8f84cf1a758fc1f41cdd9a287
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpjbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	locadob.exe
2524	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe
2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9W\\devoptiloc.exe"	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV8\\optiasys.exe"	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe
2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe
2884	locadob.exe
2524	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2884	2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2884	2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2884	2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2884	2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2524	2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 2524	2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 2524	2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 2524	2184	8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8c7fa8d0100aea0ad0acd06d87c850b04b4c577e6eeb24ae9bfd16b108f58bcc_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- C:\Adobe9W\devoptiloc.exe
  C:\Adobe9W\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe9W\devoptiloc.exe

Filesize
4.0MB

MD5
2f2e54b2e52b96252008b0e40e276675

SHA1
1ffe8788a6fd1c3d316e249510b928bc28a792db

SHA256
1e0322f15018b9063ed0bd65019f86ceb595fcbfa29003363ef05735d02b2ac3

SHA512
978b587de6bd823062db64865be232357078247cc882f94bd8a0082dd6b16714e2531e021f311b6b0700d33ca538f050493d0e15096be0f6ab306a37f4d87710

Download Submit
C:\GalaxV8\optiasys.exe

Filesize
4.0MB

MD5
64679af02993a3d0d7e70c65d2b72b7e

SHA1
288615bedd4081890fe3509d573ebe72dbdcadbf

SHA256
bab7a24811f0f37f7ba6302f66555b8ee68c5fb439db7195403099d6a9c55090

SHA512
3e14adff2e9ab7b2b39ac220eb441da7872f34cba0f3b0943211aa4c50ed0cf7549a872aa5e0a09abdb20276a5872423592447f5a0064115fac71fb92f4185a4

Download Submit
C:\GalaxV8\optiasys.exe

Filesize
33KB

MD5
3421d48078becd2757242c799c1f76fa

SHA1
f712b81d8b836313c299781997e39a5f2a55b101

SHA256
903d682dfc442dcf9784154e15b1b6d129e7a7c43ac53e742d6a50faea2c2d21

SHA512
511e1f4bb429fad3d667d12a8c03ec79d63524461ae510626eb716d362347be711fdba7cec3a84eb383418fb8cdbbfbbe56c4144955c563df913650fd87fa5b2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
1e13b39e37dccdcf9dc7ffa9fbb74cf0

SHA1
26e2153b8a1cb3f8f5b8e33e1f455dd2098ed98b

SHA256
0f75c09492e4512a2629985de5bacea79f0036506fba559a32e3fa8d3091ccda

SHA512
521f512ff63a31e6e581fdb8d0881f1b5e48a1889e3ace618af85c1ffd669f01ab1acaa38c816db006d3dddb95c4499fafc605032a782f8964503a6fd17cb3d7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
0b5f8a22f6cec571c357e93bc3f2b27b

SHA1
df01ac8709e22472bb2d542bbbcd8d454dbbcb8a

SHA256
59084df6e5aff47844e880ecbb17020e2d97a5721aa25b8fe307225e7343b488

SHA512
e709ce56c1e3cf4dec1db987dc71f5041c6a27f1e3d2e97b10e9892e1a42c653813ebdfda164d73baa64673a038e4ff4213ff80aa5a9c951addb064028e1d4f1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
4.0MB

MD5
ecbaa42b87bcf565996b6aa553012a95

SHA1
c864187af68394f72ec1f9df92347fb15c566c37

SHA256
43682a1ec5729f2ce498a9c4073efd3cdd45f955ddedc75f882b6894b0c074da

SHA512
6f0c77971feb4f09eca220dcde34ed75d8c6a6c7974377521f14ea53ef1b8a5df671f779c4f2c5b403dc4525c95bf3b476349a95424192e7362520b368b01e2c

Download Submit