Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 10:43

General

  • Target

    f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    f5136e16d689d43ffc49dbf8e94f7f40

  • SHA1

    87fd4ac2e07d66898adeeac14b85c56e9c869b9a

  • SHA256

    2d75f95a25322dc84ddda401f7c23a34fabfd02274c445a532dedea2acbdf9e2

  • SHA512

    5e2a60add685d74850dece08310e15318e47e37995281cc86aab5228207614315b2667662ce92eefbe7673dddce73dcd0d221a17feadfc4d16c2f1d17f6f676a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8:sxX7QnxrloE5dpUprbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2572
    • C:\SysDrvXF\abodsys.exe
      C:\SysDrvXF\abodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2528

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SysDrvXF\abodsys.exe

          Filesize

          3.1MB

          MD5

          df7fa9e729488246ee0425f921c8fd36

          SHA1

          65591321bf1615113575a4434ff329b861066628

          SHA256

          5f9f0e1f768d9deda245eca5fcfd6f401bb8c60cf37295d8e6bc1b9c66c9c365

          SHA512

          4fcd91e6b1499a9657c425e5c1deae95cfca5946dc851dd4da5aafec5f0cf7d6523afaf2bd1d67b823e68626b4eebc228405862cf4e2e5f9cb5a49ece86a684e

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          168B

          MD5

          6d949a9b3899e7a9ab231041d70a9080

          SHA1

          9097f87cca17c84b4704ead3d12606036271d09c

          SHA256

          0452084b0d44972f4623cbca011dca6d01e0300d5469f5d3c985b4ee0b1c31fa

          SHA512

          da7f6e86fa077c69657121fcaad9198b0add42dce6f1d0fd362f28ad200219c91c6d6e7f2f7da08c9e204fabf3a9afa61a37a7655c1e9818c48438cf55a8e3ab

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          200B

          MD5

          461c8d513f979b1d4ddb5d7d1ad6cd48

          SHA1

          a1058425371677703145eaf38aed7815a5910cf0

          SHA256

          eab40afde7367658717a9e8051c047a52df1283db672fc081ac87e20173f355c

          SHA512

          82c3ff71bcdd1c3c205bbf0a7d3293c0e7fcdfe54b430c331eab2d981ba059a1c03c98b13364d39565c8d06271d9dbcba24f6be2d0d5cb808ac878042bed3641

        • C:\VidT6\optixloc.exe

          Filesize

          3.1MB

          MD5

          220e15dd5527891136f5faf5db678d45

          SHA1

          8965bef77f13d4b7efe541f0da6f6daea3d2325f

          SHA256

          0159d71873cf5aef7e2d54b3ddc49c1440eaf5b9ae6b5ab060fbcf32b88a40c2

          SHA512

          f0395c1039bb818a89a8a376cabf32f0f01e2f7dc9251411b1f42597787ba84f4993753a7b9f6b0c0115e705c4f6d5bb8ef7d9630fb605b5b51a145e44e906a3

        • C:\VidT6\optixloc.exe

          Filesize

          3.1MB

          MD5

          0fbb3b036957b6a87448dee9c81ff188

          SHA1

          385b34d6bdaef7c16f30afd8852420094a0c979f

          SHA256

          90e2676b0a1da4cfa1e1008da4ad87401582cb3fab109f8a57a9789ceafab159

          SHA512

          de9790f480db055e2e8170e25df772b9b594f0b52ef59248b1d5651540309e245c240bd6159fccef0c90d61f19c1ac154123ae91e94c92f595cbf2cd5990b7c7

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          3.1MB

          MD5

          3f8d8fb734e378cb7d375aa1c4fb7db6

          SHA1

          39714a73b8889424cf93f5f86db9a7cc83b9e7a1

          SHA256

          b2b6039ee683f0db5e46b273aca3ecb59e306983a975f186030890583c18b783

          SHA512

          17105fd2b3c1b92753499e286ca306fc05b20fc1e630c92a1cc0a3b36b0b007a4e6a2eee7e515b48fd49a3d834cbfe071920da19f29d97ff219a5144c0dc254e