Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 07:22

General

  • Target

    9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    9276f79325ba0e41da5ad0d602c1c340

  • SHA1

    c06b56a2cb6b8be8b3c684a41e5be89d9f2cf1ef

  • SHA256

    ad203fac83feb2654cde73778509b316c899f7ef8383e706c8708f91fb0907e9

  • SHA512

    d01b185674eece2724ee3c91f563e8ab17d23a35374d3f158049c505fa5904330ecf7cfdc489b929f9818fc9cdf8841407aff9beb86279eeac993cda52940547

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4248
    • C:\IntelprocZZ\xoptisys.exe
      C:\IntelprocZZ\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax1Z\boddevec.exe

    Filesize

    1.8MB

    MD5

    abb7e73e082fe6117853845dcc636114

    SHA1

    62158cf48f0f80effa30bf69e7efaf221d8eb73b

    SHA256

    8ea47db9373d794fba0becb0f4f7b864446140b47e166eaae678e0864c0806a8

    SHA512

    f0cbc2482da46615b2fcc5030ae54ed64c9342120a5abd633904a8ef038f02d650ff9479605fdda93331ef7bb104be9306e38da23068098585915ef9cbf8ae89

  • C:\Galax1Z\boddevec.exe

    Filesize

    3.6MB

    MD5

    763ea54c35ba68ead33cac1d7bb8a096

    SHA1

    9bccaa40fa71198259953d8d57840bb5b9f629f9

    SHA256

    ae36c5e8899eb8d2ae1b1530e024ca65ed561736c291147de54a7976305ae88d

    SHA512

    14b779c7be974dea8903f92ebcad30e360b775d434d74669f97951157b4e75cbb8f231af9098bf390775b3f1af1165936224a7332e9f1d93c95503f5af6a3866

  • C:\IntelprocZZ\xoptisys.exe

    Filesize

    177KB

    MD5

    66f104ce847af6497a77e415669d43f6

    SHA1

    b4120d61862f538d7a93b936e6fceb5c402e0168

    SHA256

    22620d92667f3f6fd4b05b6fc9ad9ab1220499a2b70c12e0ccba9d2a98bca301

    SHA512

    f14378115e54d9156717b9723d8b90b462c3ba19d99944cbd8a17c7149d946f0c3bd5f10553cb71dc73e6b0ce10efd93e9c401e11daccbeba0c5c770aeedfaba

  • C:\IntelprocZZ\xoptisys.exe

    Filesize

    3.6MB

    MD5

    35cfdcd973a4ea32d028104a8ea454ab

    SHA1

    7d806f49b3588cd6749c80e36373eaf4a4623dfa

    SHA256

    789bfc91a9141d63224a60c758d2af419d7eee49b0c0046a2063c23db91a0ef5

    SHA512

    56d011f91865cf08d1dcb9c812ac794ef5ef77356678e7a28723a0624df4059fe63ec956e45409587a6b96f2b384b164c1f0c25af50516503f517f57b590fd31

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    47ed95f3dbed7d311263f96dcc6b0542

    SHA1

    88c6f92fa9a2cd6cc2f06644fb768856e82d2c4e

    SHA256

    9dfa26834ecd0b9ab99012e854507775dcb6952632d9a86b62a2f7ef60c56c62

    SHA512

    c60879f8f525133f865b58e7127c2e6b93415fee7d9d7eaefa22a00195e219bd68675651c280f73a43e069c21fecf0c807c486ae4a587a342d706b86c7590819

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    175B

    MD5

    a5982ed2f106f3141848f3f38a69421c

    SHA1

    333a330c685dcc1b06f0baa4461e83aa030b8699

    SHA256

    30e3f615ea111df612cb4e2317f5f3bb9693f0a261f8240b9bfcb6b5c4e699dc

    SHA512

    8237ed103e0fe58264016addd2f8ed8b6c32773d6aec9a723f38c94ca06e05e0d1da9f471470973ce2e15786a3077dddf70202b2f7b8a4e3b4fc2ea8765dcf77

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    3.6MB

    MD5

    cd15e55625190cff78b6d1b7dbfc82f4

    SHA1

    1d5899a01d276a6352ab6943d19ab55720040be6

    SHA256

    75dd5f8e34d072304537e281c903e1312205e41c044226c4c36c3b12e5621910

    SHA512

    bed01f9a6b2503fe2e6d96de35de9c1af5eecd5ab94d9cdb265a3bef18a493b75e9d28858ab6bec46c175baef2f80f6d41ed577eb0718aa4b565e3941c49e96f