51729f590d3eb4ca7d41c1617cc507e52766ea7e0ab095a74d5f5ff69fcb25db

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
Size

2.6MB
MD5

1dae5603564f4a8ff932855d3ec7f590
SHA1

bec7a6c89894facb806eaef85c29683c1337079e
SHA256

51729f590d3eb4ca7d41c1617cc507e52766ea7e0ab095a74d5f5ff69fcb25db
SHA512

bcb0a962e6ca8d680e7300834245105ada05ed4dbdba9344f337d8c115335aa3793b0246c0d38a6081d318e08d178de43d7d11cb8c739e7b8ec1f3c76d17b0ca
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpGb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	locxbod.exe
4140	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBNL\\optialoc.exe"	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvC0\\xbodloc.exe"	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe
2524	locxbod.exe
2524	locxbod.exe
4140	xbodloc.exe
4140	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 2524	4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	84
PID 4780 wrote to memory of 2524	4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	84
PID 4780 wrote to memory of 2524	4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	84
PID 4780 wrote to memory of 4140	4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	85
PID 4780 wrote to memory of 4140	4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	85
PID 4780 wrote to memory of 4140	4780	1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1dae5603564f4a8ff932855d3ec7f590_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\SysDrvC0\xbodloc.exe
  C:\SysDrvC0\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBNL\optialoc.exe

Filesize
20KB

MD5
12f25a7475deb27ed1c7ba2abd7760c3

SHA1
81432be178d9c134a354ff0cc96fa692d48bfa91

SHA256
377ba83ba13124a6838b1c6d595bdedafd8d941394d202a678449a01976481e8

SHA512
c2c052efac626bf81fb22548859df986096300445a29a77efd85186e8ca4b255812414c4909723ed38053f1db401ccd3a487a75ad0e9bf09a9437b0d9bba44fe

Download Submit
C:\KaVBNL\optialoc.exe

Filesize
5KB

MD5
35d5f2180b8da2eaecad0679e66dc251

SHA1
3e782e20becd6567750bacb04faafd148aadac06

SHA256
2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700

SHA512
15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493

Download Submit
C:\SysDrvC0\xbodloc.exe

Filesize
2.6MB

MD5
2e38db84fffba1386d5b1cac5d125ab5

SHA1
d0d605a71116acbef5b5916b88fc7d90f810c3f1

SHA256
7e33bedea8c403ef0d2c1580031db87c4014a611946458228443dd72b7f8e4ec

SHA512
7fb46de505a79030865c998e059cfc6f7706a90111485c9e1739ad2acb4e6fa6ae2950d18d8c472747380d972d9ab762542c72e168beacb7829cce7f7e76856d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
8b2f7fb57d4dcbd74e1e616efa26bb88

SHA1
77fce56e721ed238bf4d85e137ae45e2c9a70b17

SHA256
f6c0ab385738d9239ddd52be97587d9c03bfb76f201e3fd825dac06a2ccb22cf

SHA512
b5c6ecc65441ca5c53d7b32952957856a6afd165a5829983b5f8a61a06c64e756976af82c87b7bf7e32845c6566d728cdfc736b6f148232172cc2cf5849e1c86

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
6287b278eaf8450f39443cb16eb29341

SHA1
a2a21095dba36e3d58551745a5e82f41b424ef05

SHA256
f2c303bbf451bc2db9cfb2fa9db84517c4d0ee5b25e074e6dcc754198b36a070

SHA512
9507b69a8f3a26cca5c5e631bbb665249cef5c71abffa00fc8a42c2a5213d1cfeec126023e5ac90d16eeafd590765609b064fe814940fa21ce65902c5150bb83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
a31611011f00ea46176101d067735421

SHA1
88c84d2857c13a4f057815b99c8daaf4455f2832

SHA256
60ce8cd6ad7dc88b5468bee5df6b60631593cbebc889205188f5d2ec4f1ba1c2

SHA512
0df71a4bdd77304604e71c39bb35e016c0cc4078c1472dbe15002a27ed1a3933232e7a008647f925e0973502a990395762b81ab39f37592b245eab4053b6be31

Download Submit