941af33c8bf3ba6329d76308a2574f202d2ed02564935e0c16c9fb739502180c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
Size

3.0MB
MD5

656d24cca6190b419de97393d257fa80
SHA1

88ddc929922dee50d8e11132279af714a9fee19c
SHA256

941af33c8bf3ba6329d76308a2574f202d2ed02564935e0c16c9fb739502180c
SHA512

34a3e5a6240753b0ee42330f0969541d069c6ec32af2253ce69008a57539798487d18995dcfc64037ae89b0676e8121f0e749a826fc93573d46a18ef757bde64
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNX:sxX7QnxrloE5dpUpObVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	sysxdob.exe
2556	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7B\\xbodloc.exe"	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGT\\optialoc.exe"	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe
2064	sysxdob.exe
2556	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2064	2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2064	2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2064	2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2064	2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2556	2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2556	2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2556	2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2556	2080	656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\Files7B\xbodloc.exe
  C:\Files7B\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files7B\xbodloc.exe

Filesize
3.0MB

MD5
017dc96cb0453efc495187ce033433da

SHA1
677acac5d9da9547a5de0aac40d6fddc0f6f4d1f

SHA256
ccd5042f91705719912f228624865f284470048f908db6a8a642b9e7093fd763

SHA512
e3ea7c31a8fad7cd6b6be0efe1c59885acfa37e8ed36a5c1952f4db8da3c4d53a8af01a7da44d09b6097970b1002e950c04a76b6249e88fa065a5f28f6e9e0f0

Download Submit
C:\MintGT\optialoc.exe

Filesize
3.0MB

MD5
0c96f7b16170ac3cd36ac1145f8c020d

SHA1
6b3f42d2ebd90812793042c68a1e03a446f5bc97

SHA256
9539fb4cb287f09ad9110d4dd292509eb3d7de92b8fcc09cf482680b404b85a2

SHA512
9fc415411e9d3adf3b91720390fadb060a7456a05cb750c2910a1fcc2eea5d6136a29c385e312027716d349369fdca1b425691edf9b5bf4e16aff69b91f4e141

Download Submit
C:\MintGT\optialoc.exe

Filesize
3.0MB

MD5
952e36b8d8ba788919a70dccf918199d

SHA1
7ebd1080215767311c93eb67ed80d48bf5052d0d

SHA256
4dfbf0ed3162bcf7aea4f455dc77f7bc0f47521d5ff9bd8f06634645c546955c

SHA512
8bc2bee6106f849cc22bc51fa9574422c6d918c6323d0dcc37a7ad9a762b9a1bba8a7d512f303cdb4a9fe3c45fae2069b9f6c91560d2dbc95942727619e38ae2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
3db0dacc5026820dca3a7a26411fe9d5

SHA1
444652313406ec6231a4421a651f8bfaf0a98dc0

SHA256
68c43b42ecae59a2afda7af6b855a72e56cce0a8b490b18e9672721866c2aadb

SHA512
70f8af51fed2bf0c7a7e76028768cc51e2ac21a15a10437059187ba2ee4c8ce4554df8015a49c5cac10bf6f9e90e792cd65e93eb600d4364c5ad1bebe8ea6686

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
6746513937495e54e7c473a395ce71da

SHA1
6e513973ff043cf4836689e4f6a1aa9eb145770c

SHA256
34beb71b6e7067b23939cc08477ec763d3a487fde3bcc7af6e80efbcc6e57550

SHA512
f2601dd67fe8d1b7324da7eceeb69349fcfbcff125ea81de769318d2edb1bb34be0a734c55c4b9f6cf71fcf117424a333507d771c5e08f7ec1f160e0fedf3190

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.0MB

MD5
0a8b98c501f31f7f6d3a18d1220147d6

SHA1
182a2534ff64d4858e462cc393eabd27de07ac67

SHA256
87c51a2c1eb9f9752c8feaa08a0a8a44f5cf25656d968262d5fcfd2012a4e4fc

SHA512
7ef8180d6676d828823141310c1d6d5f9d69fa46dda6cccb50b411efd3c0491a7e0880a4140528920cff50e84c95f13f1d86c39f786cf9827cf7f552a4ec524f

Download Submit