41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
Size

2.6MB
MD5

def1e869da80f5600d47d63a4f5ac9a0
SHA1

e0a5c4186efb0c4e61630bb068e6e91e7884daf3
SHA256

41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3
SHA512

49671bf7026cd639afdaba65e7d3ae18ca0c83d422bd268b6b29b279ca950bacb81d3574066bb1b28989e75b42788d33dea7e7b0d9838696e699d6442a528336
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpMb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2012	locxbod.exe
3064	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBR\\xoptiloc.exe"	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVJ\\dobdevloc.exe"	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe
2012	locxbod.exe
3064	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2012	2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	28
PID 2304 wrote to memory of 2012	2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	28
PID 2304 wrote to memory of 2012	2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	28
PID 2304 wrote to memory of 2012	2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	28
PID 2304 wrote to memory of 3064	2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	29
PID 2304 wrote to memory of 3064	2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	29
PID 2304 wrote to memory of 3064	2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	29
PID 2304 wrote to memory of 3064	2304	41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41c7a5e937880915a79fda0fffa54086cd21a69b762b7e9a2ae41fbf579a47d3_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\UserDotBR\xoptiloc.exe
  C:\UserDotBR\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotBR\xoptiloc.exe

Filesize
2.6MB

MD5
6370f28e78e392da9fdae5371f173dbc

SHA1
9cbb743c211db11ce93a6e1b1729408734038b43

SHA256
a00999476a69cb2c4e3cbcd65e524a06a53d42f0b8fa0b842617e4c1dfaa5a14

SHA512
8e1deaf089608a085cacf3728a00fdb8923905f61f31aea56aa6929e4c59eb6c8e30e2e4d94777f8c78d5f0f9194a31b19c4b48ca12156aa0cbbd15c6e3b8b8b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
fc290eacf3f2291ad65f112e32454d83

SHA1
9eb7eadbcea8a35203475108077fdd714f7d7c5d

SHA256
f084521778d0fd3412c65a5abf1f863aa241386cd621e29eb4f403a44ab3a352

SHA512
e6bb8f3fa01f4a1608edb0e623615594763d11907a3dd7b7b5e392839a43b22d05ef1f6785f6fab39ae58cdcf299418006eaf2dd17375c650ed31f2e3af1a621

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
2385e1709353e4e0eef7a3d2de3d0abc

SHA1
9d08a127b835805a62e3056c8961221d69e58009

SHA256
1810e9fb9b7abcdebe30135208671a984b3aee6e2b911e941851e9df480c5406

SHA512
fb4b29dbfc9bf4b3db5f53bcf18667a1cadfbec35a19afb29ddd0697b9a6fe67ec314a1633735648cdc0bc0b3062c506dd44124a7e0b548297dbca3f603c4d24

Download Submit
C:\VidVJ\dobdevloc.exe

Filesize
170KB

MD5
4abdc9a22b20b7a50d14918f04d17aa3

SHA1
4fe3d27c149e2d5ef3829cde8b0bd80e55b80162

SHA256
1e2fb157162019004e584dfd9dd48c11d8fd017fd1136d87557cf32bc2ec819e

SHA512
cac5e24f56a5179a7c06a3bec0a3ebe51fffe8fb4e470b593e4c1c6441fc9521dc215547d507a8c95c38090f57ed507653e71805c2021228e916241effefb688

Download Submit
C:\VidVJ\dobdevloc.exe

Filesize
2.6MB

MD5
a4b30daa0f99443ae50c31f339617a76

SHA1
5ce845efe2120e0cbfcac8cc689a6dadb55fd101

SHA256
a6e4ee70c471c52164a01730f5541707c75a7a6f38e4ba773dc9881d9f118cbe

SHA512
95aaae7f8ded456a13e3f41e1de97eef1a8e68448e95e9b96be46e2c2b603a979f47b6cff0312bc9ebafc6d7c0f9cee199eddd42e361bb475a0fc7d56d2f8187

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
6691b37a49cc35c6734a659cd3a661fc

SHA1
e677174c37f2222aaffeec3cd8607d901792c16f

SHA256
66f252e720ccd083e825512e6073dc47e6ed02febb7e260ae6ff329451334eb9

SHA512
907e0c745996109c2662f4397a717b4ad7f082b2f94eb39ba9005d160507089208105f9168e0b10d19f4ae85a380a6e4ba45070bd52ebb455ab7fa4621a3a431

Download Submit