bed0368aad6f2dd8cc6c15bfe538b4c87997c79ff4873d47b2a6f2f292cff3ec

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 04:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
Size

2.6MB
MD5

5e1c8de89597847d39f9443b7bd03160
SHA1

d10c16c03ba59aeb9a0b2d4fc5d9e4bae428ff53
SHA256

bed0368aad6f2dd8cc6c15bfe538b4c87997c79ff4873d47b2a6f2f292cff3ec
SHA512

b6f4d75a44e3d23666e3fd8f6b27255771869f6bf015a837289602ae31df63c818a8f3f352b6e322352f3d78f6e0c070fbbc45c9a4aed926168331dba444a756
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUptb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2032	sysxopti.exe
2668	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotK9\\xbodec.exe"	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2B\\bodaloc.exe"	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe
2032	sysxopti.exe
2668	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2032	2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe	28
PID 2252 wrote to memory of 2032	2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe	28
PID 2252 wrote to memory of 2032	2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe	28
PID 2252 wrote to memory of 2032	2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe	28
PID 2252 wrote to memory of 2668	2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe	29
PID 2252 wrote to memory of 2668	2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe	29
PID 2252 wrote to memory of 2668	2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe	29
PID 2252 wrote to memory of 2668	2252	5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\UserDotK9\xbodec.exe
  C:\UserDotK9\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotK9\xbodec.exe

Filesize
447KB

MD5
1dc38781176be25e3600c2ded876f946

SHA1
3301054c4f6ccb51a665c95923843147d4b8e0da

SHA256
507947cde9fe9100bc6973b1cd88a51966a55c85564cb795a4b5679c51754741

SHA512
60f14fae2b0b05856cb44436c2e6b9fa567efe08e13e3db85e15925e3313c4a51202f7adbbade58a9e7bb766072cc10ad6a063cc7978b4204104d140281ac016

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
65afa83001750f48b3c1bf02241129eb

SHA1
ce386ad973ebd75388015558323e727f0dd6ebd4

SHA256
d1c45d8afc2b87b17040e2f715d772d29a1898048d4784916123111a8eb0ece2

SHA512
c3f2b1c54ae38919de91a6df9483de4ad117fcffe81754a5ac407506bbb0d9cf4d9fef0a672d5000c0a94d9444e436de2b860ccaecb6ceb5c4d19fc888d24f87

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
b875f1ababf6c10a134628e46fb02260

SHA1
e0196465319bcfd2848099bc262ddccab5119221

SHA256
fb564aa85216bbf7b83e2e00c24151817c8ec269ea17bc82d6c2f1f00e094373

SHA512
8c1ff915814580294436697a92effaf00ea5ea555b5a52e1bbbd3011d2c896779095ff12781fe3a51e4316e664b0edfadd48cfd38a954cd7ebb61f4087efc011

Download Submit
C:\Vid2B\bodaloc.exe

Filesize
2.6MB

MD5
6e39c2b845e876b0ed80dd21033084e1

SHA1
1f5ef2476f191f31f4031475a68b15e2167cce15

SHA256
8947e739c341a7af6c31010f252ff99ffb11e7c10850078bee19d9e284e15eed

SHA512
5a575ea5210b981734b4f92037e44e28ecd2e1598d5f0c61fc074f4f761adf1ad7d35f1a74cbda099b4067c46d8d4a3bc271382defc8c3dffbea242d87b30170

Download Submit
C:\Vid2B\bodaloc.exe

Filesize
2.6MB

MD5
ebef48138c153b4db5866b3d2cea6e9d

SHA1
c39d69a4435f466ab30c2dc1b58828be325a9860

SHA256
166834794c8228d52e678eae929251e41fb679be515442dd507d4cfb3462e743

SHA512
9af7b1a6f9d04d70b02c5b4e98514df1466e14b6b7439deff79b85a5b44f7740d05713e30a5e47d9cf04af572e480fc056cccb29da963aa673d685c59e7b0b48

Download Submit
\UserDotK9\xbodec.exe

Filesize
2.6MB

MD5
e81304f18b262cfb5883a916eff7aa01

SHA1
32d2ae042d6b105d208c0fd1dc797aef8fa36085

SHA256
640c9d0906d02b843944875941cbab6f30204f1f4bd7a7a42f89100218ed086e

SHA512
622864b1099785eb3a0885c8a7faf9fbb5b02966534cb78a8e8093a668aac56d6356f5d2b8f1807c8a1a8464d13d6c5a4c4937f0e97ff7ecf533012fc986a07c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
3185709dc78f047c88e0d6cc7916eb46

SHA1
3b7b8e98a3a55f8432951e5caccce5ccb75e9d16

SHA256
ae23b91f627cbc61ca37b6c0e9ebef1552e834dd617c7f0361818f8040c55e5a

SHA512
944e4a1e926283fa8c1d633320734eca2805d969151cd49d1f1606bebfe910b26369099b2472c0d86845875c1e112607912f2b74fcd9cdc8eca436a357cf13d1

Download Submit