671d3cc0c6911dbfa5e31969c5a6d677dc4f2c56afe1d5e23cd7f9e3ff1c7094

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe
Size

3.2MB
MD5

74d9a48fd719bb24dd4ecf37e57dde90
SHA1

58b240bfe15892e8e3d5a610e95a2cdbced3497c
SHA256

671d3cc0c6911dbfa5e31969c5a6d677dc4f2c56afe1d5e23cd7f9e3ff1c7094
SHA512

8dddae1c43ceed821fe49267b02fd944c369a529b1c61ad38c00dd4a284edf3e68e6ae791f2c688444bd8e04cbb2d686b9f55f45c23be335c4b4fd92ef0f939a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp+bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	locxopti.exe
2988	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe
1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeBI\\xdobec.exe"	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXQ\\boddevsys.exe"	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe
1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe
2256	locxopti.exe
2988	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2256	1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe	28
PID 1808 wrote to memory of 2256	1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe	28
PID 1808 wrote to memory of 2256	1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe	28
PID 1808 wrote to memory of 2256	1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe	28
PID 1808 wrote to memory of 2988	1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe	29
PID 1808 wrote to memory of 2988	1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe	29
PID 1808 wrote to memory of 2988	1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe	29
PID 1808 wrote to memory of 2988	1808	74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\74d9a48fd719bb24dd4ecf37e57dde90_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\AdobeBI\xdobec.exe
  C:\AdobeBI\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeBI\xdobec.exe

Filesize
3.2MB

MD5
12742de7b18f2b9c594b26d90164b095

SHA1
b8185fa215c5b58089a8aed49f67698bbbc223fe

SHA256
99320b446545878820f590ec250f14316fef4bbbccf488240a424521a0259774

SHA512
4a7b538bccf250e7882149f9fc0247d332f6636eed46f7e39ad7f1b708d8d8e15f1fe65186479dab591df2cdbb4333f131e24dbe191fa8cf97383ae6a1f8fc30

Download Submit
C:\GalaxXQ\boddevsys.exe

Filesize
1.8MB

MD5
8360354fbdc1b8cbaebfc72170df311d

SHA1
4e0f6cf8db3dcc8bb9e3c0d46e3deff1594b2d2a

SHA256
426f481d9854d820d754dd3d57884c094965628712396fb788c14479179e76a2

SHA512
0824120d78e040ad99265b9a84a4bbad36a64da39c9849c5beccae719b4f451008ea7fadf34c5dbbd57af3db3fdf6e78165c9041601932a7764269ea5c9e466f

Download Submit
C:\GalaxXQ\boddevsys.exe

Filesize
3.2MB

MD5
d97c330a22272b4fbfd630c02f8a77dc

SHA1
39c804aafe7b369801eb6a5e7f2c414b838a2af9

SHA256
d60f4ebf796d382c6a1191c212459a252e6a5c4b4225fb7a29f38320801e808d

SHA512
ae77576a676cc54acdafca62ffa63a7b2e12fec5cc570fe67845440dc624e4203270d82f7fedb13bb3f42a62de657d495022b76bb552ddaa86a8fe4bf989934d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
d8d70ed3300453231a5678b3fcdb557a

SHA1
921446db51162315f4699aa7adac01a38a57677b

SHA256
20069d303a99b6a96b6dd1c1eebc2dc4e27160f4aabbc52bc251d7db76ea4501

SHA512
84ab14d7286765db5fe405c7e83e5badafc694dc8a745c13b55d894bf02eba479c9e7ee3a20fa749c50d54a4d81d86f038080b296e9733bdc19ec049818be126

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
a533840c307b15f50d5ff47bcb30db79

SHA1
0db7f0ba88ccbcb43ddc4b7cc95a862a0c5fbfd6

SHA256
7ddaabc1653c870bfe69482479e702ed72163cb10d7cd11d64e1b6bd629c7461

SHA512
551d1469e8d6ace320af7df63277652c73f8a19c5b016ca4c9ce478d25b73b838d4944797226258c5ceaba7f992eeebea02aa552938c47ec62b120b515a236c4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.2MB

MD5
36e4cfdc9a6ab3acb9a0ce2a23a70d36

SHA1
914e5893e158f55cce4502851da878b002dc85d0

SHA256
527e82400cc397454118a3ba7421a839f8172120225182779794df9e373368a2

SHA512
a36c23c543eabe2e6eededb8b37c92e8969a4d3744ee90464ac88e6b533ec0d3078485543f940708650affdb08aa72bf3cd79de517c66c8161739d90fe201968

Download Submit