8080c22247e7f0f953394f7ad604765476cf7b0bad75914c6bb3a30e64411b3b

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
Size

3.9MB
MD5

3e7b0dc57b92277018f3d547cf294ce0
SHA1

c8c826bd8ab6f0925f3774066638d97d35db265f
SHA256

8080c22247e7f0f953394f7ad604765476cf7b0bad75914c6bb3a30e64411b3b
SHA512

7ed974da8672577d9c0a9c7f404e295134a770e927345534f3bff4eb378473c7d7f045577aa2b71ddc8288df9198875867036e17ba8e749b59461170fdd1d828
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8:sxX7QnxrloE5dpUpFbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
4720	locxbod.exe
4324	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTQ\\adobec.exe"	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAL\\optixloc.exe"	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe
4720	locxbod.exe
4720	locxbod.exe
4324	adobec.exe
4324	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4720	4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	91
PID 4660 wrote to memory of 4720	4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	91
PID 4660 wrote to memory of 4720	4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	91
PID 4660 wrote to memory of 4324	4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	92
PID 4660 wrote to memory of 4324	4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	92
PID 4660 wrote to memory of 4324	4660	3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e7b0dc57b92277018f3d547cf294ce0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\UserDotTQ\adobec.exe
  C:\UserDotTQ\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotTQ\adobec.exe

Filesize
3.9MB

MD5
25a0c96608ec955e82ec603c712193d2

SHA1
2305c7a2dde59a34d6f1a57bd8e2f81757320c98

SHA256
6274b8a32debc48b87e974242ea2e50552f507aa8e2c53328047a7106b299089

SHA512
41f2511335d2f6a4b0d34e0e54bb187764339eabc61bd6897d9483d55d31ed774360e64121242a98f434d3614619c01a3d1b9beaeb40f53472f50090b0bb6a38

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
0734d06b198a0fd8696475a54c7490d3

SHA1
7e77c394d069a42a9d0d90326b911dcb4b465352

SHA256
17dbbd9468fa24523376cda144390d100184ef294631a136a815077cac88f015

SHA512
a661d5035497b6666191c654b953d9169fd2f6f2a310b824e9d743adc018ae7cb962df508ca03c925eb3c137fe4313310a531952414776dc7cca75b6a740bfa0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
42d38f63829b3b8dcbec9173fcf2cddc

SHA1
ce0ca33764e25658104672bd10372992678a32c5

SHA256
ba935cb12a07ce555b5e2d2752d6b31d07c7913dd439b7c863b90acbbbe606d3

SHA512
558046f051f98fc26b8a4109a63ff00f6319f7f93a36e14a51e56168c62300890c65fa9d896459570862911c1a47504a5f6b038add868a4e8f9fa075c1570ecd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.9MB

MD5
44f6ca7aee3fa923b592810d955a08e7

SHA1
cedbbf48de89cbf2c0e2bfa626639135f70b06e8

SHA256
6b27ce1c2609798b0c3cff1797a338089624cd20567646d3b1fb14537573149e

SHA512
a7da3ca7fd36e68ef220db9b5fdcd5d41d10b4fc78c072f1415441cc14b205dd102ef20105fbca2a46bb4302b61863d1952247f15bcda19a9a9c1d588b1b1d17

Download Submit
C:\VidAL\optixloc.exe

Filesize
3.2MB

MD5
8f6d5afac5bca7f5fdeeab9199880c7d

SHA1
f1c3c85c1231c22b23a4bfc74643b18c42bf8403

SHA256
77992d9648a21043eb090acd6d08961b439b31d0f7bd5d419814cce620a184f9

SHA512
4c4c1c244d9fad9d2cd3cd83b01bb55a447996ef7c8ad4d39198f1b0c9f0b403c09af6ff8547f1a6e74cc2663a6d58bf2ae053535848b9a71d053eb13e0dc13c

Download Submit
C:\VidAL\optixloc.exe

Filesize
3.9MB

MD5
e22e22b1b2d5748691818279179b9285

SHA1
8747b73b1b61228db1759d9178e33d1797a3960e

SHA256
635a0462af465983a37ca9caf42ba63a2b9b7f052b890a4282e019f87d6be3c3

SHA512
bc7ea3be3846d3619d9e7b60f7711fc644ffd8a6475f3aebcd8770933b1b605529728a8f61100319bc6d87f4a7953432375e7a3990310f7940f9ea7314763747

Download Submit