290097f00700f15381d0ff3e19a2be3ac04dc15b7715856a7a2a20acf1989e5a

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 21:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
Size

2.8MB
MD5

086f1a69dbf5f5ba8c63737cc22ff100
SHA1

973c15bdf3fb8275dd08829858ce87b6df75fa12
SHA256

290097f00700f15381d0ff3e19a2be3ac04dc15b7715856a7a2a20acf1989e5a
SHA512

fb4f7a533af342b952326ca26e880803a4b9637c7aa422f3367c34fbf498a7c4e78314f8f37f9f42aeb1e244ba3f74a8c65a321ec2784b5658cd00e77c30dc29
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8:sxX7QnxrloE5dpUpfbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4976	locxopti.exe
4372	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPP\\xbodloc.exe"	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintER\\dobxloc.exe"	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4372	xbodloc.exe
4976	locxopti.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe
4372	xbodloc.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe
4372	xbodloc.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4372	xbodloc.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4372	xbodloc.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4372	xbodloc.exe
4976	locxopti.exe
4976	locxopti.exe
4372	xbodloc.exe
4976	locxopti.exe
4372	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4976	3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	92
PID 3192 wrote to memory of 4976	3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	92
PID 3192 wrote to memory of 4976	3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	92
PID 3192 wrote to memory of 4372	3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	93
PID 3192 wrote to memory of 4372	3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	93
PID 3192 wrote to memory of 4372	3192	086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\086f1a69dbf5f5ba8c63737cc22ff100_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4976
- C:\FilesPP\xbodloc.exe
  C:\FilesPP\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesPP\xbodloc.exe

Filesize
60KB

MD5
0adfdacc3885e032eb1fd49992ceffc4

SHA1
73ed7fc873d51ca8524a6b3a295ad5b0528e31c0

SHA256
ff47550d7958eb05d4bde24a1bac7be0f99f4f7afd0da28cf157ae62d7098fcb

SHA512
d1482a2a567e9aa4828d8323e0981ca2b58bd898cbd4d57f78296b038e4fe8014ed05ee6ae7f9c54fa0981b775f1dd8e5288cccb35b96e3d4937e49591989d6b

Download Submit
C:\FilesPP\xbodloc.exe

Filesize
2.8MB

MD5
d7aa398d49a2a7050ee4a0064a44b5ee

SHA1
bf708c7e20fce8f5753d9ceafbab02752ce5eedc

SHA256
f1dba5e691ba6895cfb42038e4ee577a9784aade603d64bb18abe5fda3a6b1cc

SHA512
45d05f8a338d03d12e22d0b3288c693b3499469c7851697168fe78166f1a389adafe007eff394eaa7979bb4c24326b5c4c1eb27aad90c520aadd2ccd76848aae

Download Submit
C:\MintER\dobxloc.exe

Filesize
2.8MB

MD5
dae1f2adad3e402845a89340063a96b6

SHA1
0121191c5dbcf6f1cf1d2ee3c9c1122877e0ff15

SHA256
60b8d4e9fe5180820461f9c2ce7b63f8afa04d3cbb18d81ae01a8c63a298b8ba

SHA512
be05e4d6e2cf7d57424c10a6691993c66d64640a738fad6eb4133e4ea67d2925c52c6796299752f160ec07fc76cb8e3457d0f3f24b2356cb71cdf9b25d422c3e

Download Submit
C:\MintER\dobxloc.exe

Filesize
88KB

MD5
831cb9a12fe0bec99e790c9ed16c417b

SHA1
68da39deda05c8e4f83190c504df0bcbe31919ae

SHA256
002ad8ca79efbed7c919a99d2aa2fb34e7687bba57337aee8c8885fb5be32941

SHA512
33daca5a1920e10f9664df8fbeca9898f6567672a1a6c64b818c8a579b6bacd477baf07ca894819072a52d2c8b0ad4043722e3f0dec19e3b50d742a5a58bde1a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
0373de48aa9ef20ccea8b08626a70736

SHA1
02a894264cb521aeb67223e8426839e9fdfa9515

SHA256
f3ac076e41327d621e723b06b748e41c53846c00000379c4120dfd57761a5259

SHA512
a82113a168b2098608519e416f2348ca149c7936b86080ccd7f0dccb8a79f176172d79d5a84c024cf9968720a01e764971aaad279aed7cdfbb64b8cf014a3e48

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
c4a53fe327d47c70474681a3c8075090

SHA1
84a622e73436ef989bab13ea0063a70495a2b598

SHA256
caa290fe2fd77baf3dcf8317e626fe1dc25746f87fb0842e1d227b20fb04a3e1

SHA512
ae9fca50d90ecd6d6a5fb883dd593e5bf2422ad1e3a3187a539ac94435a24e503388c7a4c4dec2bcb0c1ddd8ac90d264b5d916505356b16c584869ebb028a8f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.8MB

MD5
c6e8f09618dcd692a798bd64c4895bdc

SHA1
d78689591940f71550eba75f338d67252e3578a6

SHA256
d0661ee78ec825afa543e914cd0072666c43241f2fbfee9fe378f896232cb471

SHA512
d8abe5d15e6c1336dd1553a2635d3e3992a0eba0462e6702cf0a1de0b504ccd66c0454009fb048cfdb3d9c0401dde0d3670ee7ce8066d86345091960c002132f

Download Submit