Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 10:43

General

  • Target

    f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    f5136e16d689d43ffc49dbf8e94f7f40

  • SHA1

    87fd4ac2e07d66898adeeac14b85c56e9c869b9a

  • SHA256

    2d75f95a25322dc84ddda401f7c23a34fabfd02274c445a532dedea2acbdf9e2

  • SHA512

    5e2a60add685d74850dece08310e15318e47e37995281cc86aab5228207614315b2667662ce92eefbe7673dddce73dcd0d221a17feadfc4d16c2f1d17f6f676a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8:sxX7QnxrloE5dpUprbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2516
    • C:\AdobeOA\xoptiec.exe
      C:\AdobeOA\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3744

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeOA\xoptiec.exe

          Filesize

          345KB

          MD5

          20e1191a3af7f287cc2a2eec1935777e

          SHA1

          2a2d1262a48a791d746410752856b61f24125083

          SHA256

          e8e67342b6a2d59e5863f3665cc59fdda9ad41766b310ae49d2bbc73f235ec69

          SHA512

          43065932170b8afcc4e88062e1a0101e7f007b98418e7c93d27a990898579d2d3822f54eeee28620f1ffa7c569746902480b23c60bf5977ac2b00738949f8434

        • C:\AdobeOA\xoptiec.exe

          Filesize

          3.1MB

          MD5

          81dea9c37b017da3f684a6b9efc4419b

          SHA1

          49c0dd12ccd7cef38bac7c83985675933ba9fa4a

          SHA256

          332d648a9e3a13b578870cc9864b202ad5928edc9e4311121dc966d6a1856f58

          SHA512

          b86954210bb81909f92cb890d7d502000891065bd5ea1febae30bb9d07a585a8f2ad4499c5a3390dd9dd3eb7a9a08ebc6919e9b3e57515df55d5c4fd21ae1afd

        • C:\KaVB6L\dobdevsys.exe

          Filesize

          55KB

          MD5

          2993743e97101bcc2692d14a9df3b0ac

          SHA1

          6dfadb8e5770f049f1ff6bf105439012ad76cb42

          SHA256

          57805ba6bb90791255d15d49daf1b3641772b7d4d19babdc1e0bee563385c1be

          SHA512

          2b18954105ebf5fa991b2844f7a09bc867b44441c8cabb386ce9a7474d28f0d9f3fa4ff09aea02d6bb96a5da288480a1f05a138e5c4c32b18a96c6a810645dea

        • C:\KaVB6L\dobdevsys.exe

          Filesize

          3.1MB

          MD5

          8fdffef8a19ba1eba75a253463f3473f

          SHA1

          413d88322e499fcd9d00243592494f6430103f33

          SHA256

          e8c073d7e4b8184059057ddd8755dd60975b8368a63ef6aa01af346077ddc6d4

          SHA512

          82ddb2e1c41b717a287a70ab7e75c720c5d1835b7ac12544ba63b40563eabb116e46af341fc873ad4f1dc6fec4574e6d571864cc96db4a15d81b923a6f5a6931

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          f9d8a8e62ea17d2f40c805dce1412989

          SHA1

          e00171ac785d929693aea980be66e1f23aeadf3d

          SHA256

          8d0c39a257356ff9f753d081439d05e9f138ed03701e6038a37f5e35525995bf

          SHA512

          bb7572f691ec6fc2a6eb2fa763da3bd33eed12a68ba29edcdc35b3ca0c29fdd07fff9f7b7e788a1b744cd136ddaa31d724c50a6903b959d349224fabcdfd03a1

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          93f241b3d14f79cd1b71132985f7e952

          SHA1

          a1dda9e14ebbc7c8403013471bacf026189989b2

          SHA256

          bcc6c96e9d11dc083fb3276a6c732c65c6ef55d29498658d4fe96725ee9f9a08

          SHA512

          d41b78a33df75e59c7f3736c8d86f0aee5073b1cac861fe4011115ae1bf0ee04f1836cfaebc531806fed6cc6da735f8412cdb1aa68db5b2d6edddd607dd25205

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          3.1MB

          MD5

          c4effd59be91ae5f838e5f1a30de3caf

          SHA1

          77e8a75508cb7dc1b6d7db3ac1cb8190c2dfd13f

          SHA256

          321d70efba9f8acf1f552313cb6e23e309cbb0f2d6418e861b865b939c6c607d

          SHA512

          ac827f9d05e7b78d510bdfb1a651cfde84ea0249002902bbed8bb400bfc34bdbeccaa7d8cc3b0de7c9568cf4348a89ac7fc49f565d3626f28adb1223926f6b39