debee4f7e1ac9d84e2c64e02b7998e96ded6d4e0eced3d975dfeee07f2b0313e

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe
Size

4.0MB
MD5

e9674b69aeb3cc0565b4185a5a2ddb30
SHA1

9bbbe6f45618ef7c30ed86df779245be873ef71e
SHA256

debee4f7e1ac9d84e2c64e02b7998e96ded6d4e0eced3d975dfeee07f2b0313e
SHA512

a17c40a1159c9f7be43d0ea6fb6dab1cfb81e2c038c433280b0bf8ae74d5ed9aaac0267ecc9152e083b7a57a443463f959b4a5d3adb599b99884dc26bd6b6297
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUprbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	locxopti.exe
3024	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe
2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4R\\devdobec.exe"	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintS3\\bodxsys.exe"	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe
2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe
3060	locxopti.exe
3024	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3060	2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 3060	2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 3060	2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 3060	2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 3024	2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe	29
PID 2784 wrote to memory of 3024	2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe	29
PID 2784 wrote to memory of 3024	2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe	29
PID 2784 wrote to memory of 3024	2784	e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e9674b69aeb3cc0565b4185a5a2ddb30_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\UserDot4R\devdobec.exe
  C:\UserDot4R\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintS3\bodxsys.exe

Filesize
1.9MB

MD5
c29ca554b2d51bc91a74bba218cadf6b

SHA1
e54997d90f515d594c3ace31712ab3912d6f886a

SHA256
09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

SHA512
02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

Download Submit
C:\MintS3\bodxsys.exe

Filesize
4.0MB

MD5
aae8991c3081fdd153effb62081b9c95

SHA1
ec0000f8a6759f6f0198077121fddb691ccc2d7f

SHA256
848700b1bc64cb4c03bacbe7a5a6fc7903c8148d9fabb520877353240b732e0a

SHA512
f81a9f1da35ee4bbafb1f14ea04e91da9d13a43ccb57e4f006502eb43d35768d9da8cbf0b424294c49dbc80a7571e71b15e1906db4ae46321aa38d71a2a662fc

Download Submit
C:\UserDot4R\devdobec.exe

Filesize
4.0MB

MD5
2c5107f800a7ba5bfda442281381c2fb

SHA1
56dfe08f098e9950630ed55c92ea406c2da6172f

SHA256
2d774a10eebf497fa39dc5da52ebf4f1313047583f3b70e4d82d1c3c1a58206b

SHA512
e49145ce2609c6582a2c39ef66e466e364052ce71504eeaf015851dc91e3dd89d4a3a26cd170f05b70733acf61122b2bf1fe6d36e3de605d6da5236902da7350

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
6221fa27e2039e7465a6aaa4d1372240

SHA1
7871b750aaa1203521a0cd76258006b3ad9c1c48

SHA256
8470317c9ea417c5849655adb721ee95ab34bf49914d62376a7a083012ed5857

SHA512
65c758b027524b67320de7406981ce6c7dc3daa1e0d3d159d05fad0f076e7d38ccb6e442a2a07182fd4167ea10d0413aa1f3dc4529dd25919f70807b4ee081ce

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
830620a075cc3c6ce57f6dffcbc7fe30

SHA1
6b47a716b72952a3c2eb964cfdefc7a34d19ad95

SHA256
75a734753689b4f0b420956cefd505f145d01a81027743643bb77e1b050c66d4

SHA512
16b8f2b18eb5ad8efe2e2b23df28a82e622ba4c322b80c70b2e263235422b8b1033471c1802f7f912bb156948985648579e58b4b92175cd48efca8431a5c4a68

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
4.0MB

MD5
de95f3d8cdc58c9c3cb992615b507d95

SHA1
a0177251e67b531d4e1d0430e6f28b35c6e6484f

SHA256
18d1c8568b1c3358d457ea6a5561237f218477fb09c1d3b2313263086edea929

SHA512
a7133b5521a4c38c9ee46abe10538f90906bb705ed63e31ab33539229e3c31f8c495d0023ebe9d25a657372a50466f6cee29ade19a8d34e98306ae02d2fa2b6d

Download Submit