0249dc90c9d106d075a4b6aa40c00ff321689a5097dd46dbbfc7237ca2292a59

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
Size

4.0MB
MD5

02bf927ea3e045428e9b0b00a75806b0
SHA1

bd6d303b071ecb86a3f5646290ca4b04328168b6
SHA256

0249dc90c9d106d075a4b6aa40c00ff321689a5097dd46dbbfc7237ca2292a59
SHA512

838bba160850ee25fe216e0807afd1949f9fb58d3ad110aede84e998d6af0ad070617c7bfda2e4d89c02d53a88bedab96d237e4f0e7b821ac14532e1e2e57e49
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpwbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4200	locxopti.exe
4164	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4I\\xoptiloc.exe"	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6C\\dobasys.exe"	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe
4200	locxopti.exe
4200	locxopti.exe
4164	xoptiloc.exe
4164	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 4200	3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe	88
PID 3236 wrote to memory of 4200	3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe	88
PID 3236 wrote to memory of 4200	3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe	88
PID 3236 wrote to memory of 4164	3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe	90
PID 3236 wrote to memory of 4164	3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe	90
PID 3236 wrote to memory of 4164	3236	02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Intelproc4I\xoptiloc.exe
  C:\Intelproc4I\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc4I\xoptiloc.exe

Filesize
4.0MB

MD5
1f2e7ffb650fbb6fc7333f84670b26d6

SHA1
24d4015dfa6dc27adcb9f2accbdf76018963b63f

SHA256
1e5f23001bab1f1c8f8c5dc0f7da4372f3a17323ff9f3f1671f947294aa99e2a

SHA512
8756540a5c3d13d6fcd91ecd089c7a110238aefeded08136a25e8dab435f7c72ecd9eb941bf343ce493f956c582b89fb48624b5cce874b61d05ab67e922d39a2

Download Submit
C:\KaVB6C\dobasys.exe

Filesize
453KB

MD5
e931ca3c37427bcaf063c90a88539c4e

SHA1
aee1c30b75cd18b3aad98d1a3a4a756a993451df

SHA256
b3a1f56cc474da102a948e5cfb78f23d590536f93d5d35cea9c589f81dfcdd40

SHA512
8df795d658f2c61532e78cefc3fe60cbf7fcda4170172e2851307a879b86834f3634ecfbe27bccc464687c4c53f488b61b6fec6c36fd44b8b76366b58477f956

Download Submit
C:\KaVB6C\dobasys.exe

Filesize
4.0MB

MD5
e210aae0c7cdea304e044c47ec827242

SHA1
03b442e9039dc5d2a410f469f3a8dd729d457496

SHA256
bc61281f10212486d51efa864cb2dd51c2a100058691bf8d86055180833cea4e

SHA512
af76ddddfdff92e0962bebc274717adcfd4c7c12bdfbd670bed2f92919e3445c3b7ebd2a2071c8ade67468a829eae0cccdc80f84d217bb9e2794138cfadb4f7f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
c7b9d276a8eb7cb01835fb7789f073a8

SHA1
e0e6f55329080ede1a2837102e5119fd82bfcd8c

SHA256
9d0341a2cf100e52526cb39c16f66ecaf456654d4f37a557ccf7fb779303faa1

SHA512
462b2ea5ed2c9fda7ce53cd3dd5481e410fb3b9af664ecf236cd39bfb3cd7c26dd758e1a14f004e8f5a9bb3eba12209e60871b274ff78f270c002dae1e047a20

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
208b1f6fe7913b57d8e0a2d53d672d82

SHA1
c561c4e87c9bc88ac6cc52d16fafaf091d12d9b8

SHA256
24c93671ff6ac5d4a79b06204eb0486e1ff00496a2cf2593d232b50d604eb22a

SHA512
f18a306670f4362c0f45c4cb2cc96a2a968a5e48ddfdd55ad81e5ee745fd7d5f6b50cb13b1bffff3d3dd20bf2dbb98493c248cb05b0a3659eb2e0bcd5dff9998

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
4.0MB

MD5
7fb116aab53f5c4161c7ad8edd4cd331

SHA1
df04edf8d961a57b565f5f1f2be22b5f7f7a36b8

SHA256
7a75e802d78e5fb2f83466bcf77b5d9293d3f0ff3d5ac67f65ba048120aa23e3

SHA512
89f80ead0dc6c2c55a8ff436ad34b8621915a8301ddf84d99304125a8553e50c467dcb2ce24a36c8b3b64140da79dc2765c5c97e6cc87ef43cb362515f878cba

Download Submit