5c0330fc5f693f894d2add3db19f4dc1c8a8d761013a1934e2c2a6e8dca79cbc

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 15:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
Size

3.2MB
MD5

ccd51f6b22950feb1986a4cdb5a80430
SHA1

820c9c315fc8c15c2690f757f85586ed17db15ad
SHA256

5c0330fc5f693f894d2add3db19f4dc1c8a8d761013a1934e2c2a6e8dca79cbc
SHA512

e8600133ecaf0a11ada0713031d4f9bd2075574034209e32292a1ad20dc77e37fcccd1077989e937b87cae924e3a1b74840e16f3f11ea860e66b82e402d77bfc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpcbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4820	locxdob.exe
4656	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOA\\xoptiec.exe"	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6L\\dobdevsys.exe"	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe
4820	locxdob.exe
4820	locxdob.exe
4656	xoptiec.exe
4656	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4820	2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	81
PID 2852 wrote to memory of 4820	2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	81
PID 2852 wrote to memory of 4820	2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	81
PID 2852 wrote to memory of 4656	2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	82
PID 2852 wrote to memory of 4656	2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	82
PID 2852 wrote to memory of 4656	2852	ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ccd51f6b22950feb1986a4cdb5a80430_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\AdobeOA\xoptiec.exe
  C:\AdobeOA\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeOA\xoptiec.exe

Filesize
964KB

MD5
97feeb208e6d5ff412f8c6eed9ccf98b

SHA1
98849f52eb243994a9600b1572aa3f7768247f36

SHA256
8502ae099a877b7a126d92db0238f805d37138c30a08b4d71fff96b5f0f06cf9

SHA512
585108f5b53d58c9f2cfe1e82c2fe2c3be1b22fa47a155621593b0b44d9339da7e3044a1ba3c1f6098d6637d280be8697554459e5524fb3e9834f251f02b74a7

Download Submit
C:\AdobeOA\xoptiec.exe

Filesize
3.2MB

MD5
d882360957bc8fa2e90f8bf4a6f418b3

SHA1
5bb063ba6d5dc1ed16a87fecd72ec8a0e25adbe1

SHA256
6511ca6be824febe2bc9c58e6fc7a578ca846a4dc625580acdcdb0243e687db4

SHA512
79daa620f59817f5ff7c8cb8a9d6fc939ef272a6ba186683cccedc5def9c0d1317bc1494be204fc43d126b6bc69a1523edcf78c99bdabde829a096c596306c94

Download Submit
C:\KaVB6L\dobdevsys.exe

Filesize
3.2MB

MD5
49554d4af667d7db2f479b5505dca05c

SHA1
06b36d8ca327569cee95660b04ed4133f960c208

SHA256
9f849930c00a1c6b2ea7458de2810f80d167eee9c0c69e50ef8d87eefa9310f7

SHA512
5dfdd241c8b1d3989b61a46d53ce6ad0715fedd831c21c6c4211d5b069a82c39337776943e936ec7773a5926d8d6e2cc961f91c9283d29df60240337ff581c84

Download Submit
C:\KaVB6L\dobdevsys.exe

Filesize
1.7MB

MD5
018e028b72fb71b88b54caf979007c06

SHA1
095b45c989d999c1d59c5a5017394602c5655943

SHA256
2e3722154511bde7969ba04638db53ce88b07aab3b945f641453833abedeb3a0

SHA512
d273e9de11fef20b06aab6bd2bfbe06b09ece832338267f1cd555856f985fb5adf6c96d4e30ba1518b70d9d780ee253641b48e4f6a36a330c952aa2ed5d9b956

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
f9d8a8e62ea17d2f40c805dce1412989

SHA1
e00171ac785d929693aea980be66e1f23aeadf3d

SHA256
8d0c39a257356ff9f753d081439d05e9f138ed03701e6038a37f5e35525995bf

SHA512
bb7572f691ec6fc2a6eb2fa763da3bd33eed12a68ba29edcdc35b3ca0c29fdd07fff9f7b7e788a1b744cd136ddaa31d724c50a6903b959d349224fabcdfd03a1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
93f241b3d14f79cd1b71132985f7e952

SHA1
a1dda9e14ebbc7c8403013471bacf026189989b2

SHA256
bcc6c96e9d11dc083fb3276a6c732c65c6ef55d29498658d4fe96725ee9f9a08

SHA512
d41b78a33df75e59c7f3736c8d86f0aee5073b1cac861fe4011115ae1bf0ee04f1836cfaebc531806fed6cc6da735f8412cdb1aa68db5b2d6edddd607dd25205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.2MB

MD5
5c749c4dbf2ff373d53ca027f53f603f

SHA1
95b26f634fe63ab5dab6687caacf57498607fd3c

SHA256
7aa899d53e03d06c0ef5558e9f11c492be3bb1d511068b44652dd3360e810e1b

SHA512
bf4b212e05d9fe0e1799906474a86e1ccf68077deda997b7ae8a3a41179217411cf96175c1bf4a9a29b4910874103879c1a9d77e45038a1d2bfd050214d81c14

Download Submit