9f6906f5adfcb9cf6858de673937449b4c31efe9adcf6ca6b58e5db25f013541

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 00:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
Size

3.0MB
MD5

1421a7733744aea0ed2c02f6dcf0d320
SHA1

ba76e7f3e61eeb60cb65cb2d988af0fb597fa782
SHA256

9f6906f5adfcb9cf6858de673937449b4c31efe9adcf6ca6b58e5db25f013541
SHA512

f4c2b9e1ca9c8e978902ee69dc0d1fae6dd3d29ba927be291997e5ae242aa2742aa10b16b76d4c03f652b6adf1a80e980c155ac2c3f2e6a4fa14c95655b6ce56
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB51B/bSqz8b6LNX:sxX7QnxrloE5dpUpA7bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	ecxopti.exe
2568	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvCL\\xbodloc.exe"	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax92\\bodaloc.exe"	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe
2196	ecxopti.exe
2568	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2196	2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 2196	2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 2196	2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 2196	2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 2568	2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 2568	2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 2568	2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 2568	2068	1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1421a7733744aea0ed2c02f6dcf0d320_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\SysDrvCL\xbodloc.exe
  C:\SysDrvCL\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax92\bodaloc.exe

Filesize
3.0MB

MD5
d4117fb69738f2b345d2e81a693a2d05

SHA1
b9e25fd824d109ce96700bf5df307659c3cccf4c

SHA256
c4217704332569bdccd8245c09c3a0da7144ca40c6db804774280126828c2dc4

SHA512
52f84bdd1df2cd1c39a3ca35e5bde940d13ecd0b6df7c1341758c7419a5ea127a1fd43611f2e2cc877e95f17c88c2b2858cc75c04c389b8720e25b06562a571e

Download Submit
C:\Galax92\bodaloc.exe

Filesize
3.0MB

MD5
235660e8893f8e7a1ac622cf707f548f

SHA1
0b0302914863957b09fddcc9c50b5dd563747002

SHA256
2711b7e26ffcfc4c5b1b7d80cca729a4f3758ffd327fb0078d824258d3373cd4

SHA512
c58e0dd25324502935b8c1e9670e82d4330bc22e512824989a0189b050dcb83f003754f961ec2e5c238498edbe1be8183dd777ff00ff955afeb0285836ec46a1

Download Submit
C:\SysDrvCL\xbodloc.exe

Filesize
3.0MB

MD5
05cbb58b092f306aaaa8250143151c0f

SHA1
a2379d41085315c18517be1d0636ba15d1444a1c

SHA256
f2f957db7dd68b46bd56fa28a487ae6ecf4ac478cbd6d0ee6aafdc75728d0c2c

SHA512
42c062b8adea207fc7dfc8e9e2704f67cf01aaac25f28c34047bb6a515f247f8e588a8c9da15e29182d4e6588e6238e4e04334cd7eb5830d451054d141072e01

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
695dc9ebc342574ba09f2d4b0002afef

SHA1
6ebe1e229ae74b50584786403a4e9542c879adae

SHA256
bf422b5cc1aaadc7061440a534e1de9ebeb33c88613938a5cab32ab8a04e0e16

SHA512
0be354fd4f791fd4fbfac33103dde008b06d122023c76a7682b9f809f0070a212deb594988d605120fe237e15ce7607d7338c455f4f5b519b6e04ff6d32ef078

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
d2508a148f07172254a6fba792847093

SHA1
7337eaa99e2a7efff8753afde044916987a01798

SHA256
9ffdbbfbb79ed0342068124f0cb347a0a844e4ae27d957617419355fa9eee398

SHA512
78fc26e3ca2a57f9e55a306100180fd670a3d4dc56eb8e17b4337d760a0c35a3b706dbf90d34a93c8821a510d851b8fac881580ee824f60bf3cd873c77a98257

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.0MB

MD5
36fc525608cc8a016ad0b19a579b0a1d

SHA1
42e829fa6d658b9f409edfbda5b466b98172291d

SHA256
b9bd92cc7bba37468983616cf33a9af93561dfabc6179abec686fc4fc23beb86

SHA512
9774563ff7980ed265daa5a8cd6ad38613327581cb2c34ffd89339d6449e76a4eb79a8f087ffd176db8ab0fc9f43edd694c0caef8d3fa0b308a105efcc172087

Download Submit