568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
Size

3.0MB
MD5

5ac992e91ffc386c3fa7e86f3f2d5400
SHA1

86ddcc2c16357e398e3bcf859ad7700b665f1036
SHA256

568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde
SHA512

983c6518d225185e6e6a377058d8b0f135d1e3b75a99c4d80727028d9816bb46f0023f16232cc1c1c983dbac6947df9f07bf2dca501f4bd2e711dda5a850b158
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUp5bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
408	locxbod.exe
932	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc3G\\xoptiec.exe"	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTX\\boddevec.exe"	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe
408	locxbod.exe
408	locxbod.exe
932	xoptiec.exe
932	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 408	1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	81
PID 1572 wrote to memory of 408	1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	81
PID 1572 wrote to memory of 408	1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	81
PID 1572 wrote to memory of 932	1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	82
PID 1572 wrote to memory of 932	1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	82
PID 1572 wrote to memory of 932	1572	568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\568a932dd96735842bf99ce50885d42403e85b0ed02def0046474d9bbf736dde_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:408
- C:\Intelproc3G\xoptiec.exe
  C:\Intelproc3G\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxTX\boddevec.exe

Filesize
2.2MB

MD5
89c5c9440297864be3dbe61b0e9c903c

SHA1
6a1b6c3dfbaa586219a88ad698e8954a988525df

SHA256
6b20396ae417ed4b850f7509c1c3d09981017a524c2b42b6fd61307cb4cdebbc

SHA512
fb016203a9eac99c1c9ea143cefe8e0eab19faba786238d316882254ee45756103f248a4f5eedefe44ee39b84dbae93fe69bdac71508e2a6f146f2919b8344eb

Download Submit
C:\GalaxTX\boddevec.exe

Filesize
491KB

MD5
5df1ff7ba466eb0291455ce02a067d7f

SHA1
85e4b6f4b86836618ba44d885185e767f91e24e1

SHA256
9ec587ccda8134b95bdd696d5b704c3bfff10ddab9b188782897834a5f615f98

SHA512
142c81a56429251392817ec2afb824fbcd29e6d1216bc050918df69f6f0d4d3d96abb0a58a6435d5a044a938be0e66b57e300785a13482a98c2352af0ff93789

Download Submit
C:\Intelproc3G\xoptiec.exe

Filesize
964KB

MD5
e35735285aa0a4aa65cafdd7d90575ad

SHA1
29fbe518dfbd15bf68c69b8e7146d77aa382ac72

SHA256
806db3290e4414ae9fe0a241f4908a32a18b7cf476e11a1bf39439a90f3bafb4

SHA512
8c682955ce85a50b127c145fb0782d54ed928bfd73f7f2f01e0b69e39de50fc678a68cb4a0344e5f61b0cfe7c12aad94cb4401495d07bd89f7f9322a0cd053cf

Download Submit
C:\Intelproc3G\xoptiec.exe

Filesize
3.0MB

MD5
673d7fe338d1b566261a57526627af56

SHA1
419e6e905f350d1a42144893b0570f4189784531

SHA256
69703a674da0e775942ebfa4d8f12173b24e66d517447f11e4ee1c35cc98548d

SHA512
15732d830b2c0de27fc889c1e1f8891e334e0a241630750fd7cb7d0ca668d2931f36eb9437bcf199264785669e18ce3524deea6298b56e9dcf6e17aea6f6dd79

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
95196a144b972a533db91da0c840ed5c

SHA1
99780c1bff32d003e1259641fb0fe10e563b6b71

SHA256
1941611cba616e08391909e4b7a509eddf9c9e0e27acb141bc50b23ea336bc8f

SHA512
07f3a50164eab9e443ac371e16aa8b49c10782f534b1bd2174388bdb3f8d050069c00f8cdf971acdd9271e6e3b48f204fe940dcaf6316222ad5ee4d933a5b7cc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
14da63a316693c1319ab99c340337a7b

SHA1
1a53942eaf5a5e71e36e7d59351ad48d98535ae2

SHA256
503fb9acdcd17949b3405c6573ad4c69a740cb3c1814cbfaf3ef305596487207

SHA512
5b6704b61272b781dece4e36c879ad1738a70427737148d811625e1d38929ce36ce85d464b24bdede39e302b0184737eb9d19cf4bb9db11487171aee01577396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.0MB

MD5
78e359b6087cfa8d48d1f7a21173ed94

SHA1
c90a77a2511fb628cf8fe8baf4671b63a8b70b90

SHA256
483b50555d6b0a621c180fc8e62d93fbc228a7e2bf20fdd9d4dc2ae08faa37f2

SHA512
dfa87e1d93a2b62876bd8ffc566caa8fcab3ff8a93a3ca6c32728716518eee40285e74f27d16cfc70faa769c21a840bd8ab06ed3899890ca43433366d5027833

Download Submit