3e68e750761c30c8c399f101a615288c0e44ed9930da562a32b99b22ad0d055b

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
Size

3.1MB
MD5

229e20a0943c893e1fd53d72cb6073a0
SHA1

d19c0a52885b9f7266b806e3e338fce05b8f11f6
SHA256

3e68e750761c30c8c399f101a615288c0e44ed9930da562a32b99b22ad0d055b
SHA512

7b02cae53fec4e67de0df3c6e80587a41a2781b2185388c7e4436e34710492a79d2e8e1be408d542da1d594594885ad1c1be49bd79fab12f924be620d722ea33
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8:sxX7QnxrloE5dpUpBbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2372	locdevopti.exe
1284	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ7\\xbodloc.exe"	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAH\\bodxloc.exe"	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe
2372	locdevopti.exe
1284	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2372	1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	28
PID 1132 wrote to memory of 2372	1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	28
PID 1132 wrote to memory of 2372	1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	28
PID 1132 wrote to memory of 2372	1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	28
PID 1132 wrote to memory of 1284	1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	29
PID 1132 wrote to memory of 1284	1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	29
PID 1132 wrote to memory of 1284	1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	29
PID 1132 wrote to memory of 1284	1132	229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\229e20a0943c893e1fd53d72cb6073a0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\IntelprocZ7\xbodloc.exe
  C:\IntelprocZ7\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZ7\xbodloc.exe

Filesize
3.1MB

MD5
3671a6d57f48940752f94dec86d10503

SHA1
4c54020c94abb6d2e1e135647e1a5fd04d7cb35b

SHA256
af474a03afa1e2274641d968f485c99c15311cd22e0590f884ad7d8231c6272a

SHA512
329c02f15b1baac3045f074cd363b6fd71486d6a1f626c7a827c7276556fa5292a41eec9f0adbf6d2d7421c0df754ce8c0b15042017573aeb874b6947b3e7ed9

Download Submit
C:\MintAH\bodxloc.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\MintAH\bodxloc.exe

Filesize
3.1MB

MD5
2dbd17dbe198500013c5bce61ea944e3

SHA1
cb7e9d325be3044463d298ee72e1a4c29a4adb19

SHA256
ec91c3fd90c3951df75124281eab330e27df01d46cedc0babc4a20faa49eadff

SHA512
9208c6967848af3bf87b6c7aa896bead4542a4a6d16edd2ddfb3a94c44750b224302cb011785bf7208db0ea4e06f861f9fc3468e5823d944c04a9770e4bbaca9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
bbcf972c9ad3314fa0cbe5ba8944ab31

SHA1
9c0d3ed85f622d539dbbf53d57a848ee056d1eb5

SHA256
0158cb80e0429d0816cd42dfccd789f20fbfe5e6db1f20af71a594be2966ef3d

SHA512
3a8c7306cd405ba55a4618b0352db39480c07139b22859fcbbb4b38cca8a3ddfcee7a566c69d3ea114f7726db7d0a1c1926213e4b98dd622064144f73e16154d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
d6381ce1fd86542c1aebe0d2d25fabba

SHA1
988fdabd018e7171a214b347274d8c70cf5a04e9

SHA256
9bd207c8e3dd854e5ce83e10271bde6a9e1ca1d49a62f63a899be40aeaacb588

SHA512
5ffcb605d904c24bc6e7732e9eaea2a17d3e2fc0e5d3c72da8a19dec9e1a3d7eebc3684f9baf87018612647493b58c819b7c8b0bf177573cd5fe18fa374f0e27

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.1MB

MD5
ce21fb712e06c259161dfaeba26731d8

SHA1
ec6b5038954d5f4d7bc3f689f6d4da2f5dad08a2

SHA256
f8530cfbfab37718078ee9c260d762a23eb835ae36eef1de593442c88e02b56e

SHA512
1fc38d5ed0eed323e08007c80d29ab2e8c2638a95fcd78ca0406cdfd3fef7813dbec0096d0d4551218b5d69c4d0c91e6b8daff92af8082b804ef7835b4ae1230

Download Submit