Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 17:22

General

  • Target

    02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    02bf927ea3e045428e9b0b00a75806b0

  • SHA1

    bd6d303b071ecb86a3f5646290ca4b04328168b6

  • SHA256

    0249dc90c9d106d075a4b6aa40c00ff321689a5097dd46dbbfc7237ca2292a59

  • SHA512

    838bba160850ee25fe216e0807afd1949f9fb58d3ad110aede84e998d6af0ad070617c7bfda2e4d89c02d53a88bedab96d237e4f0e7b821ac14532e1e2e57e49

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpwbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3016
    • C:\FilesTJ\devoptiec.exe
      C:\FilesTJ\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesTJ\devoptiec.exe

    Filesize

    4.0MB

    MD5

    81b34e3d90f0da9c030fc74ba8aae328

    SHA1

    5302033a32ac4fe165d3774ca66b9af425158133

    SHA256

    7bd9aebebdfaa6f2f847d2faf34e06302013e61543943da56301db02493c29b1

    SHA512

    ff7605caf5d109653f9c92fc336cdc59f901a2a96b444aa5c0ce6f9850c7c793b4e794525d31f33748998c4bb352e2df26cec30aa21ef29035a26ad54862d9d5

  • C:\KaVBS6\dobaloc.exe

    Filesize

    3.9MB

    MD5

    bf0bd8b662ce103fddd57a63ed98a09b

    SHA1

    4f6bd6c269ed47144fe0f187a3dc84dd12f43519

    SHA256

    566546c8236cd019211aed7b25efb034d6790ea865f307ecfa54a9217900a383

    SHA512

    cdef21b24deb3b3ae0bb658436dc5db53ff8ce992cc17e1e9c27f26be10737c3703028f15ed1be710d803a298030c95bd9e9e967fe584cde1881e2cd89afc5ce

  • C:\KaVBS6\dobaloc.exe

    Filesize

    4.0MB

    MD5

    98a83d662149f4f63909a8a7a9fa9fd6

    SHA1

    a697a1970a7f8a180df5d5e5e3bcd61600b3a636

    SHA256

    8aed944be0ed1a47c4bcaf269fda0ea91fc75b04f71e6a5ea149f1d4a04c1343

    SHA512

    e5c88b488d63110acbd126416581366ef61ae74e56df05777f827aa2ab94ad8c49dbb244c665b1615403f0adaac28cb8ab8df5e76247142feb2bca0863e6135f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    a268ded041bd29bc419d1f158ae44092

    SHA1

    56faa46a8738f14b100ed5279eeee0be5b093542

    SHA256

    ce7a8a30f7eda5bf6364c7339c10695a31023be22569f2c4f00f44a75743178e

    SHA512

    a4115bce5432c4daecd8e3fc943b211a9d87c442b21306f9f2d442c7d21f04123a9b0e7e755831953ae315c0e5d976be97426182eac286b04fd610993de4a30c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    539c8c652ea4ebcf1dc1e58000557b59

    SHA1

    0a4de3cdf96cab82688a32e65811113f06f3de17

    SHA256

    cf82dbb65ab3f9226d95ffde1af0b6077bbc630ef1e41fc8b6bf3955e0b76302

    SHA512

    728d4b68b9e83072195d18216b9078b0a9ebedf23a65c7b4794f63ef7edce007f28a3c7d2fa2fc18053eb26dccbb05641a95e2e346bcef33aaa5fd59654c61bc

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    4.0MB

    MD5

    a510c7a69b1b163855c7b245d4d5d124

    SHA1

    b3049a0d91daedab4e3c72625905e8d535c34956

    SHA256

    672038e252493c3fae402f42ac61b87982d27c55ea2e31f8f512fd9208a744e7

    SHA512

    7c1f1aff4ad5a0c76810257a3248f5f36e9f4c826b000dcd8ef065f03ff8bcc346867b8cab7b035bc41eaacd33b2bd55bdda75a51f05364eddc21fcdf20e3ba4