24b4f6afa459cacc08eee536c212605f5f65424958944547e912a0a94eccb6b4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
Size

3.1MB
MD5

6116b5c411c0ce0a30ffd470a9fbeb30
SHA1

246645a6bf29e4a07c41f65aac6e2477a2c94de9
SHA256

24b4f6afa459cacc08eee536c212605f5f65424958944547e912a0a94eccb6b4
SHA512

5e36495a6d78ef06a543b44ea07305bf3c8c4e1d735ab1c4ba9e63297d3e29eb11993406561354f6b4945bde01d6150a197a7f5fc4ee38b7390b719d8588561e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpPbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3004	locxbod.exe
4492	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8Y\\abodloc.exe"	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintND\\optixec.exe"	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe
3004	locxbod.exe
3004	locxbod.exe
4492	abodloc.exe
4492	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3004	3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	93
PID 3480 wrote to memory of 3004	3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	93
PID 3480 wrote to memory of 3004	3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	93
PID 3480 wrote to memory of 4492	3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	94
PID 3480 wrote to memory of 4492	3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	94
PID 3480 wrote to memory of 4492	3480	6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6116b5c411c0ce0a30ffd470a9fbeb30_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Intelproc8Y\abodloc.exe
  C:\Intelproc8Y\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1424,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:8
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc8Y\abodloc.exe

Filesize
362KB

MD5
b5a4f404e314653c251f41e8e6ff1506

SHA1
2481e42e62dd0e166bbf8b201ced4fb0f97c0c4b

SHA256
29dee0c5a77b281b607ce6acafc6a643fc5c05ed1c1259281c9a2065c633f64b

SHA512
5b7cd57f124bea1e5bf4d8340bf5d6fb5c3de99c10eb2d81af2ae842f1b94a4f81bc1caf430b783099534829c76983bbb922c7f91df646950bde44c64d46ca6b

Download Submit
C:\Intelproc8Y\abodloc.exe

Filesize
3.1MB

MD5
71dd608187155beefdd282fc78329dde

SHA1
db4d68a181ec44f29478f15d47e7fc2e960c4c8e

SHA256
fff73802434018529187248e98a3c8e142ecfadf2d7b6b55e502bbec5524a53d

SHA512
39699eed9a6cd9c8199bfbb284f0ba7822abab56e125aaf70772fd4606b8b30004bad25413c7c958194c0c3b7b63c48ccef8e9a33abf6a1730af1a0834067b36

Download Submit
C:\MintND\optixec.exe

Filesize
714KB

MD5
9b7f05a10ecfa8fd28c28aa9c30998f4

SHA1
26fdcc0bae93f506a1f2a3e009b1750fe300b486

SHA256
da88beefc6eb0f5b4f1f738d108f2d1168375ba45b346ab95da85801b7b45029

SHA512
d6985561cf87881cbde07fe1e905b4a90c15537cc708bdde13b2f532f68222da806c196b5370f3254ee0b673180058c86a5ea7668b56b8efe0f43fe133588cda

Download Submit
C:\MintND\optixec.exe

Filesize
3.1MB

MD5
eeaaf9c302b9243efb28658669125ad0

SHA1
043401039474d87bae86f3fe91cd066ff3ccca2f

SHA256
8f99b9b6e56e749b78196ec17e41651c1824b48b23eb0cb0bc3af4fbb6cce042

SHA512
b1864a1c6fd9676b41980ad3dea19c499797274182d1adf5d74fc9aa32061c95763940061d234f3bb8d7ab6f9f4a54b50087c6d838c6904541b9fa0aaf0380f2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b5cda47b8087d9c3ba5882ab2554d38f

SHA1
f0e44a3c054c065d57472930bd17dae4bb96e055

SHA256
e10584d15af832423aebc43bb23ef02f9c1a9573db02cc5657b042feeaa6a7ce

SHA512
b0c49591136ae0b8f1ff83947de03789708eab38d5a4c948caac84470a1d8a1bb474a573e239e91f9786f92ddf30080e3defa403a2bc511f9c3ea7c87092c814

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
afdcba414b655a93ab17fbf9b92f6b5c

SHA1
82e3a3ffb476af88e7d89394dd7f1713f8bbfb7f

SHA256
801898127a2061b4c7ec6d8e9d85e7678d98372677c41b096002162804f0cd33

SHA512
53a39b26a52b63c4034736595f4ea89277bccf5bb6b48c4d6bfbbf2db7db6c621388f1fe2f7f8f6400d8c679b5bc8661bba410961d2a1cdf74675c62bd321eb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.1MB

MD5
3eaf13ae5bb853c1945f30ae46c13625

SHA1
730332ff36e3d19f36c6bee476c1f4b92a1cc392

SHA256
bd0954d0fb3ba99d15db43a825ab46261f3df072f6b4c16edde269948f20d992

SHA512
a2d0c3facf2b88944f11ffe9b5f02b2f264a2fc5223ad875eb1fe1f2bad5c83b8c129cbb5fc302c99bcb6be915936333d5d3859cc2e694314ddbea425ba857f8

Download Submit