Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 03:16

General

  • Target

    5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    5a23077e9e58a3b323a0e8b90632f9c0

  • SHA1

    4829630d1fdd1c7981a915c902eafa18aa4e3f20

  • SHA256

    60d45cf36c25afb59d0ebcf196c64fc5e96ed35c156f6dd3e4809d82c557f48b

  • SHA512

    f957a3bca3e3e542ed2b210bcf02a8f07b2547eecd21db1ebdda2581efcc7d8d53b10dbc87c038640a348cd13231c5171c858e2bad75d9e50e7f7df248343021

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp3bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1256
    • C:\IntelprocD4\aoptiec.exe
      C:\IntelprocD4\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2000
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:8
    1⤵
      PID:2700

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\IntelprocD4\aoptiec.exe

            Filesize

            1.4MB

            MD5

            846f420d2ff4e271aaeb2dfa83826e75

            SHA1

            8658064734b3a41f270b9605ff38ca279fe44694

            SHA256

            ef96f4202310d3279c44697c1c9cad315fb83e6cf34915f154205187354c3059

            SHA512

            42d700b9748049718af6a0aef42d90467ba33628ba45ebfb5ded1f42442a7626073d502351ed355210e1ead2054e615c43b60bb135b516cce93c99208806d5ca

          • C:\IntelprocD4\aoptiec.exe

            Filesize

            3.6MB

            MD5

            b51798fdf62b5466fab42bbb393002a0

            SHA1

            5541ce2c9c1012f46a83ceaff7bacfb5ab408bd6

            SHA256

            1ec498d01fdc3527845b07a1804651e9c6286ccc74ee3e5a6e36fd0252b31f09

            SHA512

            e918c938b9b24f10b530dd17d7c3e844a37b5af7113ea4b9687d7647f73597df0f2d8b7887a7f25cddfb56014d8c40ccb559b192fc2f30caf448c024282542ed

          • C:\KaVB77\optialoc.exe

            Filesize

            2.0MB

            MD5

            3d61f5980a01c44e89ca0990aa7c62e8

            SHA1

            a089598220eb5b0d94aad429acbc10feebc9559e

            SHA256

            55110208d72f3943be9d8bd5154f66b3059c7644b9bb47e9682c7b99751bf6da

            SHA512

            080ef59b1e1e30de263408c885e06c71b302f24adea3e9bd5e9bcf92b4b31cb82cca5ef396b55dc56db8639b93dcf0ab53a4c881483fc5e7cf6bca05ef4d4f0a

          • C:\KaVB77\optialoc.exe

            Filesize

            673KB

            MD5

            03f0c6a6fe78e5bc7540c9c0acdfe667

            SHA1

            73e6cb9b5478d0fb1f8a6b0326b7f0c1ae71de50

            SHA256

            a303a059788bcf9842c86e9ad1128c90cb808e9363846c03db5b6c959b8de4ec

            SHA512

            8dc59c53d532d5b88a5a872a2379f9191298fd5a66901c3b1cc555db3ab9421abe7b14c91fde491c8c63ec66be72306ab5d6c0bb4813e974712dba8449ad7410

          • C:\Users\Admin\253086396416_10.0_Admin.ini

            Filesize

            205B

            MD5

            673b2dfe0636b8effc34f00dee2ad33b

            SHA1

            f95329bf0d1f7e3f40fb42873cd621523c0a2545

            SHA256

            2c18e6483af92afdcdc3db4793a383e8aa3ddbd5425e8205b6145a0a2df1f5a3

            SHA512

            b0376c2c3e2287fe76a0788d3840618ce57fc3f608a7b59fde241a4bec24c44239f60d53c7cc6e697c9c8c5f92bad57b8d28c28ec7dd036ac353e8ca5a7d1435

          • C:\Users\Admin\253086396416_10.0_Admin.ini

            Filesize

            173B

            MD5

            299cbfc1d6dbb17153d90037a7e50fd9

            SHA1

            19a09fe29443829899c60043efade80403ced503

            SHA256

            f020577056b04361884dd821bbcbceb350399f52414ff86ab416d6f3cec56b1b

            SHA512

            17d3895812744ead222baa9e3f75f5824ab4412a4f61d573303db38e4ebacd8e732d3a2d176790d8bf89d1b407f6803260088b9509c969187e0c9888469aeebe

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

            Filesize

            3.6MB

            MD5

            7b93a4e66fa3765d938db7bf837cff7d

            SHA1

            810688040286ddb14d6ec111bd4cf80ae1b53003

            SHA256

            6922f3c7f9cdefd8c5cced8cc00f0ffaebea77a1d762c6db2c2f1172fa646345

            SHA512

            5ddb060f6d12568f314f097ec6b775f0aa0ecd0e7ebe93e9318363a587c0f371bedb326d449dce5ca86097b8ebaeee525dfc5370f923835ac6e20fe810f0c3ad