8ad57c37b0619a71fc3306f7ff00c7c528180737df8b30ad9b8edd7cb37730de

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
Size

3.6MB
MD5

30ff215da9c612bb7634dc055780c960
SHA1

a60f20058314531bab7102f6b826eb65e62f2a03
SHA256

8ad57c37b0619a71fc3306f7ff00c7c528180737df8b30ad9b8edd7cb37730de
SHA512

7d1429ceaa6e4b5c2686ec581020c5b9d128a379001fadd01446069fed256e4717f312fca63ea9cfb11b254a0cedb0a374cf31fc036b80b504fc4528c699bf7c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8:sxX7QnxrloE5dpUp7bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	locxopti.exe
2600	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4D\\xdobec.exe"	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBU4\\optidevsys.exe"	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe
2504	locxopti.exe
2600	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2504	2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2504	2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2504	2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2504	2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2600	2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 2600	2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 2600	2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 2600	2192	30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30ff215da9c612bb7634dc055780c960_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\SysDrv4D\xdobec.exe
  C:\SysDrv4D\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBU4\optidevsys.exe

Filesize
13KB

MD5
8c3627c138b69a29f1f3e7743c377ac9

SHA1
38d00db20d4ccba9fef285bc5b2c50eb73f352a7

SHA256
2d835e282b9a7e65559019000af2d36aea1151090066ff801f25da276c99e627

SHA512
0e81b2f188fef8742620e583da5a47aa6eae70cf24a798f64d916f01fad49d5ad6f3e883deed9cc6b3dbd7301c28e483ebcc324d83c8a63b41ef839432ef7a21

Download Submit
C:\KaVBU4\optidevsys.exe

Filesize
3.6MB

MD5
324a8d9dc705201c9acbbc704dc2a6da

SHA1
7804408b7ebfadb8f125c67ced64ae8728069922

SHA256
ce4290b973662a63ffa6ff5b54b5136442bc4beb9c048816734382c862f399af

SHA512
9b11d995c86dc54fd6d3e399bd9b0269ec24c09b8b7e4848bbe3a9eb28a5d2d7b63717c841711db629f49a640296e4c30e1f0f5461df521c3befc79fde206441

Download Submit
C:\SysDrv4D\xdobec.exe

Filesize
3.6MB

MD5
d3490b10df0ed893da1c0c8c3b513c5a

SHA1
45f58f57fff9ac429b25d9ff193b0d223e41bd64

SHA256
f8eab64a88571fd7cd7a942371fa46bcc12fb914b7bd69e45e55bb5cc024728b

SHA512
0ca264c264c1553c6e3a85ae036d8076e554e654fdcddc4312dee692f4a772a398539c58217f19f12bf9f9900640d155d23b2b291cc59072d17784e4c85d5f4f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
d50447e54b4e6a7dfc5412076a20e11c

SHA1
f3d6f23817c9b4e12ffd0ab8643415f8ffa260cd

SHA256
7f12ce941be0d40d6273b805ed6b3a9125e290dc0f52407ab1476e6409372c40

SHA512
69be7cb7d54ad5cc9013f086e22324eb4a6c235515e7dceceb7391520504df6120134c6fc8492475f64a4e8e75c04e63651395da49cf416cb7bca3302b9356a1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
f749ec4cc196567b4e33be2a25a3035b

SHA1
1ae5ba2684f1fa2942fce503190e69ad970a4759

SHA256
5d8b37e3028a20105976e68cf537474676fa13fff8be680b07473fa1f5fd7f67

SHA512
d5e541808202be1d2932a74bf12bf42468896f6a1ae2cf63f99f1a7f2910194d08255fc4589cbf9d8204c26e5003ccec6ff1f4e5bdf7aed468cd378b9eeed08c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.6MB

MD5
3c585195057a20f2188d7d2f6e8a1ada

SHA1
9b3b095185708ae851ac7576b2ea5da293e8aa20

SHA256
6b127c5a78e2c91965acfb579a963a9e7aa013637082b56bffedb2d560f656b7

SHA512
c8ad97d67f177e21139136429a21a7903800002e031b37e63dac2c1332451a59b9dc3fe99745acd3133317a1eeaa55af9e4ebdd3d6181782d3233ae63621f743

Download Submit