a95356854cc88e4fe3167c445e2d77ea4e276cf1894bde3fd1923013f0a87ecb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe
Size

4.1MB
MD5

d5f32707ffad3ff422bde57e0379fc40
SHA1

c4c0784dd17c38408edcc5998e2452f75689fe0d
SHA256

a95356854cc88e4fe3167c445e2d77ea4e276cf1894bde3fd1923013f0a87ecb
SHA512

f74a8a4ca38b39fed51e0960cf19201ae5ca07e70c06bd8ca76941e05a12047b57e066380adfa2fd78d1a5cc3907fc3a9b450ebc69cb8817cffbb66563697a4c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2452	locxbod.exe
1140	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYE\\xoptiec.exe"	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZR\\bodxloc.exe"	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe
4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe
4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe
4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe
2452	locxbod.exe
2452	locxbod.exe
1140	xoptiec.exe
1140	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2452	4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe	86
PID 4284 wrote to memory of 2452	4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe	86
PID 4284 wrote to memory of 2452	4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe	86
PID 4284 wrote to memory of 1140	4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe	87
PID 4284 wrote to memory of 1140	4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe	87
PID 4284 wrote to memory of 1140	4284	d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d5f32707ffad3ff422bde57e0379fc40_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- C:\SysDrvYE\xoptiec.exe
  C:\SysDrvYE\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvYE\xoptiec.exe

Filesize
228KB

MD5
0ffa1ee67c3c4743a06d724c0c13fdd8

SHA1
6914ac0ae414c71b319ec093f326632154b64f2a

SHA256
5be04a8883daa7266c35a51fe1e7cbce7f155f5360f74b50ec9a4d5b6e3cee76

SHA512
917487be1b0a3f54b91d9086dfa9763d0c3fdea71a06576006664d69410940489ae84c29b64cc3f160b13fd33b5439c37f46b767ec4a4a2c0ca50866853e4c70

Download Submit
C:\SysDrvYE\xoptiec.exe

Filesize
4.1MB

MD5
b9404828d74b3bb698999f194242958c

SHA1
b26cfd867103fd7d825b1141521151f971d006e1

SHA256
efb06c3b5cacd924e09db72c2d86ae7463586f24d4e2167d487aa7bbadd95294

SHA512
a053cba05d2bae5ab9612977e6833661f7e2ec12311069de4ce231447330f47a46c04d7c7f1c36fd3b101042959d12c3fa6257cd0d147ab50143d80b09ff60f8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
3cec0cdef3a64ac2945652854e664f1a

SHA1
39b9dc9c10becb2170d99695071ce721a9992fb9

SHA256
8b11cc051b09cd568de2a30ca51c9a6c6708d70a6f620e4160e0fd7f83beaf10

SHA512
61bd7d92eb386cef0d7c22477392f0278c08fec9d912be416c2a248836cf8410dd32ed7004ea02f64c28f6dad455dd3804c87d01d2c14a6c52445590acb98132

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
6feb2deaf39a7afb059d8396882c84f4

SHA1
137b59e4f3fe7e0c74b617246df05fcc2189ac9e

SHA256
0ea75e1a5a54024a1e528be72216358ba71e677f6a8c37e93a113d3456a33f9f

SHA512
8423145a47c1af3a474c164c76d03cb9b27eab52674fd34461fce76a3a561df87fd3ef79552402f4333c658365d85407f97177f8019f77f6120e158a802fd4f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
4.1MB

MD5
d73705289c65cc326c00f253f5141714

SHA1
cd84a35d5f70c296a8d002fd2e5c677f64ffaddd

SHA256
b4babdbf325cccf52b3c7af78289dff4555230883ea748776a8502c11c65997c

SHA512
14a1aac46d0dbd6da1a0f317340ff832ffec9cfbc03c8ab9b3041274935f159015251eff9ff098c5b04485bcc7e528042f7c07f0185f0d7cc536216633690e8a

Download Submit
C:\VidZR\bodxloc.exe

Filesize
332KB

MD5
c76dbc14c3e8b3e783a05d09d5fde7ef

SHA1
a733ef5c8803aaa8958d5e43da0fce0773e49d40

SHA256
077a39b47e3817a0e562b3de46edc3b7491fa41497397b352fe1eca12fbce6c8

SHA512
1d089eb57bb33b80c7a297eb220456321b150905732906086956cfe4fceeb61a43bf1301078e872ab564858676f05023975e365896013fac6d34ace0f46cb9fe

Download Submit
C:\VidZR\bodxloc.exe

Filesize
613KB

MD5
becf3fb123503a05a7f108318ef0dc09

SHA1
c6bdd94571b86e3ab83736fd2c8ae8c2f5ecb2e3

SHA256
f3a1aa46a63148e1718aaa90aff8b2f39449ea590bfc21a9b12f43c33e812639

SHA512
b7adb31ab331f3b2c6106c3765adc2cbdccf7f0dc9b56712cfb9268dd8c870133a24235fee21692d10bf8b2b8b128d966585d63b1271fa319e26dc8265dd88ef

Download Submit