Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 07:22

General

  • Target

    9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    9276f79325ba0e41da5ad0d602c1c340

  • SHA1

    c06b56a2cb6b8be8b3c684a41e5be89d9f2cf1ef

  • SHA256

    ad203fac83feb2654cde73778509b316c899f7ef8383e706c8708f91fb0907e9

  • SHA512

    d01b185674eece2724ee3c91f563e8ab17d23a35374d3f158049c505fa5904330ecf7cfdc489b929f9818fc9cdf8841407aff9beb86279eeac993cda52940547

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1636
    • C:\AdobeKN\xoptisys.exe
      C:\AdobeKN\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeKN\xoptisys.exe

    Filesize

    1.3MB

    MD5

    159cb0aaffe6448704e4011542cfd64c

    SHA1

    d118e593474789e90b400b418fe5698321d5eba8

    SHA256

    07be9c3df18fd321124656f1cc58cfbad80ca7611e0a3e7773bec0041ffe7090

    SHA512

    242627838f6a3d44a5438b060f9d3ab1ee60ed6d9a1983333155d2b458d1843d8e4dc955ac36af37b811f6c06064616381bb86b0840a5fea45e7a691525c124b

  • C:\GalaxRD\dobdevec.exe

    Filesize

    3.6MB

    MD5

    761b9a3f416c10f03ed7b1c469d5228e

    SHA1

    409647b1b673054bf20e1fc0930980a4621f6da0

    SHA256

    82a821533670350ac98e60c964d97906c2fdaa458362fe37bd0ffa2edad00529

    SHA512

    87032fb81518b7bf5575097dea7d0b91438a62298bff461194e5808417547b24830ddba6ecaafb739c01da7ad90403ed4f474d1711f6d3240183513a48f83878

  • C:\GalaxRD\dobdevec.exe

    Filesize

    1.0MB

    MD5

    3ffa38fc481cd4e85d44d35731907b68

    SHA1

    d069e35dfeb4c91b7ed2a88ee204f377d258ce6d

    SHA256

    16908559f8dea4738a78ad7257a3d3b923feeec542e542cae473adb700bb47d3

    SHA512

    e0118ec6ed6d1cda45d28e2d07c4c3c41f1344cfe97611766174c4d887dfec7b2e25251c8e1d126e83bc1a5bedd867b4010165dc15064070c9d44734b39f880e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    c3cb2dd504e1e76b44b5f5c4e2610e06

    SHA1

    b501fab865d601a7ed064b8f007f051df726989f

    SHA256

    fb813d7837c8f4b3d88546b716814597270af1ae6223dc470dc1331c67ce2c02

    SHA512

    9bdfee563fa2902388468802302636c49215c78468f1a158bae002f2b18cc19a78a1b629d7ce6768c0db1c330ea42025fe3d027dd70859cb378b34b5305a77ba

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    155579dd3159a0882cf2135a3794e844

    SHA1

    cbebd78c6541a48f7fe31dc5ddf76803976730a6

    SHA256

    86553530422bbe5867dcc1c5b3480bcfb5ce2cba0315d3ca4da3b755d184e8b0

    SHA512

    c2ca3c3dd6319c13a87dab0be3d049ace7bcd5f15c12cdb64a466f9911f6af76c9ea7b536a977fbc779e70fc8e689d0cdcff868771aaa581c9e07b560e2f3b60

  • \AdobeKN\xoptisys.exe

    Filesize

    3.6MB

    MD5

    be2ff1dc15fdde1296d85a06864f5d1c

    SHA1

    b8b4862e7dd47d8f4e0b6e798237ddf2bb098aeb

    SHA256

    7d2ef72a0e9ba3932cc16d452eb62cc03d61508c8f3874c406ffed0c28aabcd4

    SHA512

    82020fae8f2402c7837a8a4214668fa0ce0e558d6ad6765bcb3986d2c488bba5e2920a246de0a87b4cc962315da351dadb4bf1f3db8396253150bd83c01b429c

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    3.6MB

    MD5

    a58348d097e8b6a4c219f21ef2278bd9

    SHA1

    5eb6dbb5df43819493520630063c0900d4cc1e8a

    SHA256

    465503084cd5c810df072fe04f6520b87d19a654cb1ea615b8117671e2d1b6e1

    SHA512

    81809f86a3e8c1e27cef3cfea61202096bb24a17ba084e8a16f82fa0c3775198b33e70b9c4962b7e91fe87584cd2bb8146f0d889d436809cc831d391d4ebe36e