864624286e452de23178a30d00dc57123894915ac5e38dea324a2a13a2448806

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
Size

2.6MB
MD5

502062ef99bc30d49d43738550ff62e0
SHA1

d34f5675c62a73522b9b07026eb64819bcfa38e2
SHA256

864624286e452de23178a30d00dc57123894915ac5e38dea324a2a13a2448806
SHA512

e55ec80223f4990081bdcee4b1aa6f380f458322f576e551aba6de8c41cd92a02db07954b5be3921d0642cdc8c3bf3cad2c7386700069220ceb10d90263db9bf
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpxb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1472	sysxopti.exe
4888	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeG4\\xbodloc.exe"	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGL\\dobdevloc.exe"	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe
1472	sysxopti.exe
1472	sysxopti.exe
4888	xbodloc.exe
4888	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1472	2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	90
PID 2160 wrote to memory of 1472	2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	90
PID 2160 wrote to memory of 1472	2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	90
PID 2160 wrote to memory of 4888	2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	91
PID 2160 wrote to memory of 4888	2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	91
PID 2160 wrote to memory of 4888	2160	502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\502062ef99bc30d49d43738550ff62e0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- C:\AdobeG4\xbodloc.exe
  C:\AdobeG4\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeG4\xbodloc.exe

Filesize
4KB

MD5
ede40b36034d11420daf9b761d447622

SHA1
83e69cb72e12fd8ccd507bfa21133e1fca0fd5d7

SHA256
6e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4

SHA512
0fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120

Download Submit
C:\AdobeG4\xbodloc.exe

Filesize
2.6MB

MD5
d1547b89a8d4b99430de9c3bdd75d004

SHA1
c29c55eae4a9939353dc4da3c58731d8cc3444ef

SHA256
bd94c890b594d1ced7b06f6db605f6aaa589a2f0a5e54f353e634e13b071be18

SHA512
9914bf588618536841221fd92c4008a6114107784e1b2bc45411658939c409e192417dbbd4600610c61cd5a7d4c016f258b9eaa6a9238ce8e9cb5fb7ac45a848

Download Submit
C:\MintGL\dobdevloc.exe

Filesize
2.6MB

MD5
52de87466ac8f8fd942f8b7d8debd13b

SHA1
9a9ad009697a09f3f0c04f8408c03a159bba2093

SHA256
5c85a25c14fe21acb5151bf67aea53e5a7cf451eb6468a9cc63f2dc6231447bd

SHA512
fde5ff0726512c78b9f5787b2752160f3e1b2dde1570420160b7271d4dfec802c9990e81779a30fcca00ce633f4b805607e66dcc2f54a939747179cbce0d7673

Download Submit
C:\MintGL\dobdevloc.exe

Filesize
2.6MB

MD5
b4aa111bb787abe1ed305c281f4a71b3

SHA1
4ee43cbeab07e8da0dcbd26036813c3fb3c58a5e

SHA256
94580954df15cd6f80f7a6d2746a21886faf733aadd17a692dcfcdf6eeed477d

SHA512
0a7c42ee9e06483e2806511bfd97e456126f4a998e728412fb123ab8854ee81e380c9869526eec196dd2c8ca166db48108c186250d1f43d678aacb7e2eba4ca2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
11e4f01f6f38239168e9129ae314304e

SHA1
b77c45d8f8932ce8db63f45cdaed14ae3d39d494

SHA256
367ee9c6051f8dd81c0a25b3976a813fc2385911ec9976b2df8bae1d4aad0997

SHA512
877ffe997ad0ee3bfd0af84133b02cd74bc26395eb2c24dd93348e532f2c008526717b34184d74a8f04028cfb6dc5dc7f9e7f77397dec7a76e2ce4d8c2629a69

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
17b31ab52a12cd6db19f70fc020aee91

SHA1
6c87ac4a1bb07a584fc3956c401a4e4abc998fbc

SHA256
88cb6866c47fa4ddab347ab4f623a45df168c0d2b557b98ed3da560cc58a2dea

SHA512
0e5eca410be6c46f558e40e8877a27a1a1294de57f57af8fa4c4460659b18cf13b6f82cff214cf3dab47f1ee83afc26235177f07ba9a6a0ff90349eaab96f1df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
29e815c4b88bd3fdfe9b7e1ef9c8e55f

SHA1
8646c70baafc1c8491ac76b0f2d571b74945cd7a

SHA256
aae22a5125c7722afb7a7818673584e3b0c7a673aa0617c65dea1408258e9a5a

SHA512
b536792c81f31170cb32e32932f83724c56b1a31072f604344daf9ee2414dcd60613099a8696603001fca68e51742e3b656c19f5625b0b5ed685565cf93d9f7d

Download Submit