f5842ecbcb484bc13e9bcc8377c37e07195036d7fb05c2ede21fe46ea0151ab4

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
Size

3.6MB
MD5

6e1ab494035aa17d07a3b8c8d0dc6820
SHA1

37b0d34c7e04784b020aef0436447a738db8857e
SHA256

f5842ecbcb484bc13e9bcc8377c37e07195036d7fb05c2ede21fe46ea0151ab4
SHA512

18f9faad312fd3dd034f7668f1f5fbeaf34a435f99fa4c5845acc43dc40959a5743b74efd8e0fa1fc78f75b9992084033be3bbe8516a83c6711b8536a877178e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpdbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2652	locxopti.exe
2568	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeXU\\xdobsys.exe"	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHV\\bodxsys.exe"	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe
2652	locxopti.exe
2568	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2652	2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	28
PID 2984 wrote to memory of 2652	2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	28
PID 2984 wrote to memory of 2652	2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	28
PID 2984 wrote to memory of 2652	2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	28
PID 2984 wrote to memory of 2568	2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	29
PID 2984 wrote to memory of 2568	2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	29
PID 2984 wrote to memory of 2568	2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	29
PID 2984 wrote to memory of 2568	2984	6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6e1ab494035aa17d07a3b8c8d0dc6820_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2652
- C:\AdobeXU\xdobsys.exe
  C:\AdobeXU\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeXU\xdobsys.exe

Filesize
3.6MB

MD5
1c52614b76c6e730e1e3fe3e95dd2416

SHA1
5d787015bada9e2b36827cf683b71210223bfcd4

SHA256
ea812f0518cc7a951501d83e8c568c251ce52632d4bc5deb4ceb56ad0c6e308c

SHA512
81f27c74b68c1fdcf41b3e958141f62e65a4a5d5d62c073311d05220790d5828c9bc1f65a724c1bf6c04f352f3d8b62f7b8a7032f641aff96233ba71c504539f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
22a2f1f3cc03784b3af7ae02e0f492d0

SHA1
80a3c91602f2eccf9ba4c4a14172ca2a94a1658d

SHA256
f1430af27793af52bd7419897ba156acaba36fb46096172b51faea0742e38855

SHA512
26c8eba973a734e30093d0a7149a3ced32a20b5d385a87113dde94fce90b36d7604ac674e861257d5b17cdf124c05bb5c2f0a07d67a3d101893baeda55393efa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
09cc8e722e454d81883f31b13e20c058

SHA1
6220cef9a029d6a345783abf38a9b742ed409b02

SHA256
374112cd82fdb6527bca8bc29763cdea4c6221a23ae20b5cd78bf63af8fb7bcc

SHA512
8db58ceb0fd4912a4350dfc52aba6b369fe525fdb72802ffb7779ab135c11b38c034667664f808f8ee4453b9e7e29086c449c4e2b18a7c7f32ca720f1a727869

Download Submit
C:\VidHV\bodxsys.exe

Filesize
3.6MB

MD5
a42aaa222ab4acc2e7033fd018cf7a62

SHA1
b8e7964178b2f9c33f9007d57e2106476596475b

SHA256
66ac3418c45887677a9985e00057487580546d23c5abebb1c406b9ab9f25e1bc

SHA512
2f80a8fa0cbf07dfe6ab7923d1b13a790d13f631b9a5eb94e80c93dd70d7ff6798faafbbd0f8f40ae17834f152a95b66a5f893d2dc173f3b753c879d4b3a590e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.6MB

MD5
fbcf9bf3b49344d79c38f9c6751f3db7

SHA1
f3b6ac54bc9437778c67c8afa94d615f524b437b

SHA256
9b485d61e52b61dbc8b22f5dd452ead2b69b757828376b180982b86436e90d84

SHA512
1ac1fd7aae5097afc1cad887457e7f48a37b5f75176b1a983e65640b97c370c60cc97d17920761a9c0c413931e0ffcfce16b3742e6f5cb89047af4f993b4f93d

Download Submit