1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe
Size

3.6MB
MD5

fd9d6e7114b8e4ae748c96a2630a6ab0
SHA1

03395ae30e0a752a93e41639f0bd74dbbe5db464
SHA256

1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee
SHA512

e9ad0908d810993b08f8796f019e1c54a5893225271d2610c9a1aeeb899ea171ad045d7d4e9d99e49b19afe133dbce10de865847056145bfbc41eaf9f9ae370f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpbbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3180	sysxopti.exe
4844	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotWP\\xoptiec.exe"	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax37\\bodxsys.exe"	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe
3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe
3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe
3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe
3180	sysxopti.exe
3180	sysxopti.exe
4844	xoptiec.exe
4844	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3180	3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe	82
PID 3368 wrote to memory of 3180	3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe	82
PID 3368 wrote to memory of 3180	3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe	82
PID 3368 wrote to memory of 4844	3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe	84
PID 3368 wrote to memory of 4844	3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe	84
PID 3368 wrote to memory of 4844	3368	1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ca351ee8ec822d8fccba6e8fdf5789b51df08c70857b28918cc00476a86f7ee_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\UserDotWP\xoptiec.exe
  C:\UserDotWP\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax37\bodxsys.exe

Filesize
3.6MB

MD5
e0403c3705e2ce9590c0749b8f0bb004

SHA1
59644098c1f8ab04e78912cabaee1999998d65a7

SHA256
5f04fe5f854e7e3b778cd48cc8df37a976d139f79ed376436688c8e41c101188

SHA512
05859b65564f7c8ee8dfd7b9cf73882d91a7d999e597990646a22ea112d295ec164306346336084c7c649424e90bf6bea68e207fb02c9cbb5781155e01825d03

Download Submit
C:\Galax37\bodxsys.exe

Filesize
3.6MB

MD5
04dd1babac170a3c181d61c8fa7c83af

SHA1
a17ace03aee80383d9bcc1423d4b6bc2d3d29838

SHA256
7308f1f5eb23706dd686ab510123f6e4d02d7f374edf399c0c71e4386865065d

SHA512
b80961c92368611186ebe72660967b678aa01988568cff0176ac2cae5c75630b4687a0b44f5b09e7d5f960bed966bcff2d924e35101ee5c3d99a4113e6e0edf0

Download Submit
C:\UserDotWP\xoptiec.exe

Filesize
669KB

MD5
7a2bd0bb041bd3731085fb77d27d5243

SHA1
1d7a55fe4e406d69c4544d8fe6f2706f4b2fec03

SHA256
f8490081cd620648196844fdeba71f87d542bd0d4957c26555e066ab57525357

SHA512
ffef73b39e9e38834b8f8419dfc1487c08d540ef7abc7d5e942ec58befa00d8aa868cfb76d7029bddc7c4f95891d7252d945449806ff06c056de450ec84bd08a

Download Submit
C:\UserDotWP\xoptiec.exe

Filesize
3.6MB

MD5
3d637d34b363595022b593a422903193

SHA1
a9bb240f9fca9e7e699d5cc22cbb08147e820ed0

SHA256
b69502faa9391d4faa0626741e76b013a17c36a606a2257341932f1dbd64660b

SHA512
671e22cf4810d4ad12898b0c27003d7917361c0286198e80baf5db1190b1c96a0a1a33149743d139366122a8c1b8613392453dd5810533276c63d4f104dc7f51

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
637bd0f0faa85a6a1f4435943f64b205

SHA1
cd53935b874b0901e7863540b2ada5de7d5dfd02

SHA256
22723d8afdf9e7342389c3f4fe31bb7c2f9295e52c53c6bd09fc33f57e2816dc

SHA512
0632a5d4e0336c6ca1418424e1f3c28c1179b57f4ae3ad0b23f5cb5345bfd857ed36cce5a620c46bee1a03cf9df5f2d24a74b9ea352fd826e74f50306679a2eb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
a1b0de0cbb025c43d42c54a8d7f12c2c

SHA1
64d515a158bb3cffabab4cb970fe2ecf29b4bc9a

SHA256
3efc304cc3cba14d6c119bf619347f41416d8d2d34b55b9f21f2724f1eff8f98

SHA512
508392e40893261b0ffe6c1e65d34d60fc7da80742ff97106c61a525769a834b2b749eeb4100cf7e6ccd25ad6a01ee5fc3cf419b53929984f6d52b6d444510d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
3.6MB

MD5
595db93f22cd6c90658d6642613039d6

SHA1
c11fbb3dfdabc3c1d05661d534802929527fe3ac

SHA256
bfca54056f2bf7eeddd0453d317701a397ef404316fb7991f2544f5e78cd7d84

SHA512
098ced9fe7a37adb9f43d102df7b836d0a4c6ba6ddc0f33af8a1e20718f19720eca9d3336b5f58382621aa8313430fb7ae3fdcdc69b1b5a1666eba6e6785a153

Download Submit