7b13a2075849e5a28074722fea59e3a2c248450a91a8c9b84aae3af89a555feb

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
Size

3.2MB
MD5

46f13e0b1468d754daf4f63856896730
SHA1

eb1c9ba9b0eb335ebb0d6c86490976e49d059f78
SHA256

7b13a2075849e5a28074722fea59e3a2c248450a91a8c9b84aae3af89a555feb
SHA512

f14032702a2a338cca5b426d72449d22b45d248bbca20e687b3b74ec7282f0f47807b4850293599fcea7e61f3ca7a760d534e691a4f299e7b90bee3763c92600
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2276	sysxdob.exe
3040	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCW\\xoptiloc.exe"	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWX\\bodxsys.exe"	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
2276	sysxdob.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe
3040	xoptiloc.exe
2276	sysxdob.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2276	2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	28
PID 2700 wrote to memory of 2276	2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	28
PID 2700 wrote to memory of 2276	2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	28
PID 2700 wrote to memory of 2276	2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	28
PID 2700 wrote to memory of 3040	2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	29
PID 2700 wrote to memory of 3040	2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	29
PID 2700 wrote to memory of 3040	2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	29
PID 2700 wrote to memory of 3040	2700	46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46f13e0b1468d754daf4f63856896730_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\UserDotCW\xoptiloc.exe
  C:\UserDotCW\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintWX\bodxsys.exe

Filesize
3.2MB

MD5
093c7f81494bd66621db9fabc4e771c6

SHA1
15b24f6764d633615fc420bb56133f974424b268

SHA256
cf11af1c68a69922defe255f53164d73eb57c4667238928f10a3eab4d130ee8b

SHA512
005c9158e7fff65bb9bf732d18296b228515bfb661605213a13625f16724e7699304321a97daf4eac047978527c001cb559671e8384ce6cf5a032e34a9c5e0ca

Download Submit
C:\MintWX\bodxsys.exe

Filesize
3.2MB

MD5
b1e0e0045d758d1e71212d2871e2ca99

SHA1
cb8d2b65399b08bc474d5272ffe1e261a3b3f83f

SHA256
090291795eb358a6a7b8869e7dd1d6daacffc0ff8e17f4a2a384fe0571e877c0

SHA512
70e73c945855161ce269d7ab861bcc1ed9c32fb70ab01583436cb68af15fbd5698bd6dd1eabbbfa2f53d17c316ff9d9b2d1cf54c8d90e80c78a4050819b6f97c

Download Submit
C:\UserDotCW\xoptiloc.exe

Filesize
3.2MB

MD5
9f15ddd42515b635b47a1c041840e7e2

SHA1
00e12575f40047d74feb5503a654894ce96d35af

SHA256
ff4164c6d52fd04c97e4a05025a6747b4ac5df6e7d8aa0060336d61848dbcf46

SHA512
fc9a6d3011ab6fc9fda7f2b2d7f779fb779b71e0a2e43a27234d85c3c7c5e673cf90132184647b22c1b71b336c83fbcc3a5ee8bf7e005488ffce9fdc189715a6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
889294a957f46acf1d3c4f6ec98f0ea7

SHA1
7a0f6aa7f99a4cff9430f2b13559a26eea5228ad

SHA256
06719f839ce6ba90958a37d9bc47267f111bb35c59e98482113812837f32b66b

SHA512
25532fc0fd969126507845ef0a09fa089ca19147fc091cb0e96a868f00a10a4997a9e9b277e0d78fb95d376beb4dcba78ba1c320d981fb63d054bd1a99871fa5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
aaf046a767817ae77903cc0229ee83e9

SHA1
1fcf6e38807a0d02024b869355843e87404738ef

SHA256
79ab3bb55df2486299a90b5878e037554f9bafb6585194eed6d8ecacf3236df5

SHA512
cd5e491749ec385621d6ee42df7c23079fc7d6f8bc35bd7921fb0d27d7fbf70bb483657c1aec5caba8e0783c7be6ffa98688d2b1fd85d17f87d7133c98a2ada5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.2MB

MD5
f67f8c25461687c59cd935ad5589f174

SHA1
f595140c337523fde1029db63d06721ae5b6c06a

SHA256
339ac57cbf8e8b3a9126364d88fd81ac78c2c57732d8d0b540a066cec60353a3

SHA512
2e3cca3b9c6d7a2eda601efebc38b4d4d3a782a7f02526bb1b7fc9a0362047430ff6e9bde3a190d14b22de4987bf6615a167844613b44d47796b5bc423458ee6

Download Submit