f99f68c777cbc2584c3fb8347d41be2ce2575a8cb782f4e026e15bde0de23938

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
Size

3.2MB
MD5

69fb4a3aebcbfeedd2513b69ef42b670
SHA1

3f38fe64336bbadc3b975bba0295fe31365cddbb
SHA256

f99f68c777cbc2584c3fb8347d41be2ce2575a8cb782f4e026e15bde0de23938
SHA512

4fb9c8df6f78d1d3c345cb80e9e66d65b577410205cefc386a1c50bfb7c1c54e965f43fe0b947bb2c8435625f8913fdec4e45f84f3ddb8b777974cbcd95a2cab
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp4bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1788	locxopti.exe
1720	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeBI\\xdobec.exe"	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXQ\\boddevsys.exe"	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe
1788	locxopti.exe
1720	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1788	2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 1788	2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 1788	2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 1788	2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 1720	2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 1720	2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 1720	2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 1720	2436	69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69fb4a3aebcbfeedd2513b69ef42b670_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\AdobeBI\xdobec.exe
  C:\AdobeBI\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeBI\xdobec.exe

Filesize
3.2MB

MD5
5b9ead3e965e22fc51b70a29413e15c3

SHA1
96f88c61b156751b1591aaa6d0bcaf218d380cd7

SHA256
dd2f67b48f1afed0fcb6be8a4d48963eb7241a966201538a1e5148729b1d3a4c

SHA512
80472c84de3ba61c00ab9f09675a0de449ecb173659608c95b1c3b61bb89db6d6b6927c3b1932947d4f6c94da31d9dc71bcfbf8159f167a6ca3548aabed3da3e

Download Submit
C:\GalaxXQ\boddevsys.exe

Filesize
3.2MB

MD5
918c905a985dbc01449ed2463a24aff8

SHA1
c64f16998c1c49fb367f450909d4adc52b8efb31

SHA256
c42e6b62d26403a37c644acac46a69e703525a31327506bf18517a704245089d

SHA512
f70e9bb6400f6e444f1ff19d26dd13e7c68fcecd641e18c3f1feaa1d961607a8c67998e54f6caa792f1f074a067ffb209ea286491d8b6c1897fa1b5c9974acf9

Download Submit
C:\GalaxXQ\boddevsys.exe

Filesize
3.2MB

MD5
0f88353ab144d20fecd81d5d262f6728

SHA1
709350a2225e33fd54be5e5080af8082ce5986d4

SHA256
3055679006c40a77b5abfc1d459a1172ab31dd77e6c0c2a7ec5c5ce866bc1b06

SHA512
5f4ab0e51d3cb73e771381b8f0ff4f830cab586114649ced1180bc5f00c19bf88b6ec8ada2d9126d9e0777aaf6c0c42a35f1e2ee83dcb715feadccbfc79cbaa4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
d8d70ed3300453231a5678b3fcdb557a

SHA1
921446db51162315f4699aa7adac01a38a57677b

SHA256
20069d303a99b6a96b6dd1c1eebc2dc4e27160f4aabbc52bc251d7db76ea4501

SHA512
84ab14d7286765db5fe405c7e83e5badafc694dc8a745c13b55d894bf02eba479c9e7ee3a20fa749c50d54a4d81d86f038080b296e9733bdc19ec049818be126

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
a533840c307b15f50d5ff47bcb30db79

SHA1
0db7f0ba88ccbcb43ddc4b7cc95a862a0c5fbfd6

SHA256
7ddaabc1653c870bfe69482479e702ed72163cb10d7cd11d64e1b6bd629c7461

SHA512
551d1469e8d6ace320af7df63277652c73f8a19c5b016ca4c9ce478d25b73b838d4944797226258c5ceaba7f992eeebea02aa552938c47ec62b120b515a236c4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.2MB

MD5
ce80519c51b52e27c29ed2b7238efd1a

SHA1
c20ea49a69fd99e246fef0780b77baeb6591f114

SHA256
4bb6d78473411c68b894e28b9a751dad09ae592473ecb6ea189bf5088c834aec

SHA512
c7b43291cfa812d64275f3034eb4d6fffc10781e07dd8e3f1f0f78196192f482c7e5daf0997b3d968b4f0fd3f59fab28d2b49b132e1764942ac002b06977ea7c

Download Submit