958d5d9f0681d3d23a75e88c013c79f0f89b1b16271140303c7e41a9d795d99f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
Size

3.6MB
MD5

9984511d06af086d3772e9e4a947fac0
SHA1

c78d2995d304cd9053fd6e12412fa20530cea911
SHA256

958d5d9f0681d3d23a75e88c013c79f0f89b1b16271140303c7e41a9d795d99f
SHA512

684590846f597248cdfb44610c245f0ed86870dcb2b43c32b8b62d3f0767ee0bc78975b6fcaf4d1ada69f431d8e89950561e28a829f08951d33194d35ba2e19e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8:sxX7QnxrloE5dpUpKbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
800	locxopti.exe
1516	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeH3\\xoptiloc.exe"	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4M\\dobasys.exe"	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe
800	locxopti.exe
1516	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 800	3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 800	3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 800	3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 800	3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 1516	3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 1516	3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 1516	3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 1516	3008	9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9984511d06af086d3772e9e4a947fac0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\AdobeH3\xoptiloc.exe
  C:\AdobeH3\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeH3\xoptiloc.exe

Filesize
3.6MB

MD5
b265694033e4f42cee3157ff733f8142

SHA1
583f2f8a617c7a985bc839ff1436a0c2463b0765

SHA256
199c21a8b7b7eda965fb4d30d0c3dec340ab33127b95d6666be52d6fd0a899c7

SHA512
97cf74314815518630b3fc8c0fdc79f1b8252fab226eccbb1f30d8db45ee1c31eea4b4dd05e61ed93f32c90e0318441d05b38b81d3dee6e0a13493e2858b983d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
9771578eae5846405118c53322c24872

SHA1
4fa0d014522a6ccbf5b057934178206d0c5f141a

SHA256
cc89728e1da890994b2cf8eea0f7a36d5bc2927237ea6157aaa01a6f737ef162

SHA512
4f28d915fc3d7b22e5072ecc45ff35063d0d84914458ec08dba9611952551e9cecba9c31a587cc10dcca68cce5ac2fab4485e073ec72ad124e3484c0705fbb15

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
8d7fc37ca0985a0860ec149499dad8d7

SHA1
f5ee781f5385c444d0382a587204e60f84775c14

SHA256
751c4ee7f207f0acd37226a38b5e19d6384b5a6342df425658582eb0cbff43d7

SHA512
e1b7534632d0da0d677aad4e7c95958878ffd50e26361c316b30793ca1964b63cb2b589421d4da5cadcd66c95cd595e0e2984fd98e64f4ea3500c15fbd0623bf

Download Submit
C:\Vid4M\dobasys.exe

Filesize
3.6MB

MD5
8466da0d9a1ca3ec3cd4fca370ef6ed7

SHA1
49fcb8d162ebc9b7621951a04f7ebb535dc89961

SHA256
e91e963eb733d7338441c62e21079beab134fa0a600c920f0635bb7d839f9fbf

SHA512
fd456f509aebe387c8f63e47f0c74cb7ccf4b2325852bea22a98e01c1ff32992f3b7fb110e883e33a2ce4ed2a87f6d3ce98ecf25ede7d0a9182f7e1a79e2f81b

Download Submit
C:\Vid4M\dobasys.exe

Filesize
3.6MB

MD5
a3b1814f7eda238d970f52f7aa359810

SHA1
70b9d96b59070a6619f233a8cd49376e288bd1c2

SHA256
079863dcf5435c2047159de74a6ee03303aba0d6187d069e2a2b8ab209ec6f34

SHA512
8c8d7d37b2057c69e26f4590b8e357584fcbf8a5b83b7795140dfe39a6a1ba14ae29a8be947f22e7eee5006366e39e07135d0cc1a6beedae7b1b6cf99c533802

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.6MB

MD5
de7c667b9809ba2d22cb3cc4e5525c62

SHA1
5cc0caaa00d5199cd0c36e56e25d3b52f310b1d6

SHA256
4f981b2fd13ea538a9a361d6de710a505d6e1ee5531de53c9f0aca162e23f1e5

SHA512
358df2fc38e1c24861260f347486d07072e092f3d062f459837102916422a549c7ff15c4718f4fd27ee07ea2db24cc3d5f0aca26fb72d709d9ca38ecb3746755

Download Submit