87db2c7fa157547340cfede49dd14abfe6073fad58289d69476d27593636031b

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 02:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
Size

2.7MB
MD5

63c7f13f57071fdd3d83b06d385f80c0
SHA1

8ce5b36a229831238417cea20aeb94203b665c79
SHA256

87db2c7fa157547340cfede49dd14abfe6073fad58289d69476d27593636031b
SHA512

47e5ef910373211e468e22e3eb1d586b08afc6d41a0d1397855030926598989e773e9a30c1f1dc689a5d098139bf896799064f7256ed946670b2165f149680fe
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB29w4Sx:+R0pI/IQlUoMPdmpSpY4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	locxdob.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1536	locxdob.exe
3764	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDS\\xoptiloc.exe"	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGH\\dobaec.exe"	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
940	ipconfig.exe
4620	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
1536	locxdob.exe
1536	locxdob.exe
3764	xoptiloc.exe
3764	xoptiloc.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1536	2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe	86
PID 2060 wrote to memory of 1536	2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe	86
PID 2060 wrote to memory of 1536	2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe	86
PID 2060 wrote to memory of 3764	2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe	87
PID 2060 wrote to memory of 3764	2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe	87
PID 2060 wrote to memory of 3764	2060	63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe	87
PID 1536 wrote to memory of 1932	1536	locxdob.exe	99
PID 1536 wrote to memory of 1932	1536	locxdob.exe	99
PID 1536 wrote to memory of 1932	1536	locxdob.exe	99
PID 1536 wrote to memory of 3520	1536	locxdob.exe	100
PID 1536 wrote to memory of 3520	1536	locxdob.exe	100
PID 1536 wrote to memory of 3520	1536	locxdob.exe	100
PID 1536 wrote to memory of 1776	1536	locxdob.exe	103
PID 1536 wrote to memory of 1776	1536	locxdob.exe	103
PID 1536 wrote to memory of 1776	1536	locxdob.exe	103
PID 1932 wrote to memory of 940	1932	cmd.exe	105
PID 1932 wrote to memory of 940	1932	cmd.exe	105
PID 1932 wrote to memory of 940	1932	cmd.exe	105
PID 3520 wrote to memory of 4620	3520	cmd.exe	106
PID 3520 wrote to memory of 4620	3520	cmd.exe	106
PID 3520 wrote to memory of 4620	3520	cmd.exe	106
PID 1536 wrote to memory of 4444	1536	locxdob.exe	111
PID 1536 wrote to memory of 4444	1536	locxdob.exe	111
PID 1536 wrote to memory of 4444	1536	locxdob.exe	111

C:\Users\Admin\AppData\Local\Temp\63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\63c7f13f57071fdd3d83b06d385f80c0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:4444
- C:\FilesDS\xoptiloc.exe
  C:\FilesDS\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesDS\xoptiloc.exe

Filesize
2.7MB

MD5
edaa95ef17628fb1e824f95c5171e11d

SHA1
4b1bcda95a175020338d7820e8a73f1bda641770

SHA256
4e8b168563ee3a5d3fbb2716bf4f2aa1d81d8cab2b88e69bb15e454ffa2b79c2

SHA512
bc6df80ed312befce2dc74b8b164be6175639e25e55cb2f17f0d90740d43f2e52b1441904bee0c132f4e154c03291ee916439bc9d01fd2f879988a69dcc9c0f2

Download Submit
C:\MintGH\dobaec.exe

Filesize
2.1MB

MD5
7505e5e173eb7edf31c99c6e18cdcc56

SHA1
e86d2e0911a39e6bf761b8d11b4beb23b7ecb8c4

SHA256
d4ef8d52a04bde9e681a7c0a9fce6c77a1e179e2635610dabd4ef13061cf3594

SHA512
4850ef9f02b185ca9d51c306a50cd8940703a82fb93c540ff0437cb770c2f16848f5a14b4bc002bcaa5299846e79ebc78cbacbe2c582197e152265503bd9e3b5

Download Submit
C:\MintGH\dobaec.exe

Filesize
2.7MB

MD5
ec8faf0798a6939e092f5fe3e914f8e0

SHA1
cd51aee177732367b7e4340c88ad0783839c4b28

SHA256
c960388fb1c4c72fb791582fd980da6531f2609eccb9c0d24ffb518a3e9a7144

SHA512
ec809969c6b52452728d0a1d485c6ff4730f20fbc9b68db7ab76d6afa351ff895b2be40e7a2c7e897ba1066444e411b4b13bb453786ddd4133a2c943e0640d89

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
12eea24867e72b0c421461cc03a54d55

SHA1
1b10ced7640335ad6aaa25c421acab8f6e703296

SHA256
459146096aa8c1134c81f29cdeee40636fda657946c040694f7a1e851d1fe67d

SHA512
fd0c6a590a29991a181e6b542a2f1bc3f9fa5404af98cf0f23fdf7c25fe07d7cd2b0dcf9089cca92db95d734e770cf1ad9cf26576899a7872142342eac848065

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
3e09712aee889f9b4228c4409f2d27af

SHA1
112e4b2aeabcde42308baf178627e6772147147f

SHA256
f7f3cdaf6c74c5a8664d572121cc07ea24dcd1bf8959dc0e238b6aefad68eeac

SHA512
a1413265ddadc8b62cf85805bed80c53a0988838077ccfb1109af32e5af0b44a91d840923b7011810b5590d1a3028b2a2715227435fed8a5b9b548a1c3fa14e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.7MB

MD5
a36903c5e6626faaf7823100b04ed43d

SHA1
0964991702e192f634247e5ef668d95f895779fc

SHA256
804381656e3630c67d91ed41fd15402b0feebec2adb8d628aca98257a5d83b7a

SHA512
ca1e616b9e84d79da5fa1bcb81768d996afb68da7d919c82dff5d5f091c8a786956a43c88d493dc6012432888a213e186d2fd11853b0196772565a86cb679c39

Download Submit
C:\Users\Admin\grubb.list

Filesize
39KB

MD5
b3016d405241835777a174f01ccd0034

SHA1
09467b32a5be6b0fddfff5cee7b53d3848bffa15

SHA256
01e746c0e9dc3f5f6bd1dc7ff051d529cf77932df990bd4f18160f64bcaed71a

SHA512
582cd576a8bbe2b69e7679b458a74d3564a1e4cde4979cac43f59942c77fb07153c26dfdf3ed6e54ea2be17aa13d17f1b7c213ad2cd5637bfe8d48e73a004c5e

Download Submit