Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 07:11

General

  • Target

    9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    9218265fb231290964c8f92d64cf2f50

  • SHA1

    f521242e65fd3250e3ae999b05f831b53e593838

  • SHA256

    efdbbfd33878cec186fd94c28f219be1af51df0db664e3c290e7545f77b33c9e

  • SHA512

    ac501c8265c6df08fa7a4f45444d06f798350f3a6de35442dbcb84b00047ca53f17c703ac39fc9ab5714871ec3e0e04bdb1223eeeb88301f59e7ec5e8603373e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpeb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1000
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3248
    • C:\AdobeAQ\devoptiloc.exe
      C:\AdobeAQ\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeAQ\devoptiloc.exe

    Filesize

    1.8MB

    MD5

    7bfa6806c82ccb87583a1413d623a059

    SHA1

    6363a8302ec0e4ec88fa5d84b4f62a97069585e6

    SHA256

    2dd2b02e8e0ee2d1a2d223c4afe7706174a7eab60443157c9cf3a03ff6c16c29

    SHA512

    c4b758f1b855ed1692353a4f3927c04a2f2720c0aa4b990bea5338704fdcc213979f64208ad96cf2889cf1fd88a25da292ced468c7caf5c4de8fbe0ac0744273

  • C:\AdobeAQ\devoptiloc.exe

    Filesize

    2.6MB

    MD5

    c6201d853cd4fab72ce3cc1a402e4c5b

    SHA1

    e6ee620ac1f9a09ebe305efd1eec391e8eed529c

    SHA256

    40e942cdf9d04fc0f7f76ea34874b22cd98f348771ac0d3a606cf0acba8399bc

    SHA512

    702845f84e0d256ee229b123f1a4d7844d21a79f4573cb064ed4e0da37bfe18111b6351063413f83e7cf1f537b77c992d0450860f9f8f07e527ad3bda655f4d2

  • C:\Galax8A\bodaec.exe

    Filesize

    602KB

    MD5

    78e689b1693a09f0e68385e004a58793

    SHA1

    1feb8278a303d75309047e4e7a2f898fbb5588fc

    SHA256

    cab100074e54c13155de6a58365c1adc05490400be37f5d0c40c1b403b208878

    SHA512

    a86c53a25dec391e059b8818790a5ebd670fe9407d208f147da9c3d1a65c84c72ef0425ff38e361a13f903a8b23d0d96951a219d3dbdd8a19ee2d9cdbe54e609

  • C:\Galax8A\bodaec.exe

    Filesize

    1.6MB

    MD5

    ec463a08f11d892c223029dd1bde52b6

    SHA1

    b3712ef6852c8285efff050ba46e51db7dd667b4

    SHA256

    eebe92a07fb459ec41bcd5c56c7721e0c6f8407ab8b0a083a539641dcacd5425

    SHA512

    43e70d0e92b9e70a7c3bd693514ec5cb66af71958cb1821b5f668e48e230a37b394aa7af79bc9f125a3dabaf5b81a84f8b6019d08a1b7ee509a655403d60cbe1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    fbbdc9a2c89a3f50d0a7b1978dbe8c5c

    SHA1

    58252fbb4d0df8021e268bf5074679e2a9de26ce

    SHA256

    a9a14db8788e6c2325c5120692f755e3871ededd0757e184527ec5bb230f1b4a

    SHA512

    a3da38f340602e01163be40819c3f08a278c7b5bf73da8aba7215cd59f668e62dead112951bbb107ad729c847762f248054e67bb0f8a4cec6ae3fb327f7e6d36

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    89f0e8dcae8d91bd555b1adf10e5483c

    SHA1

    a47b6df9fd7f84b7f8f3dc10734cec25499d408a

    SHA256

    f46f81e1d33a2056f2850210cfc3d02a4cd2b5a64bd677785b0f6071363deb82

    SHA512

    a1e53fbcef86a8134bf79ee6896cdb13d7c9305742b75c66e2d8f8999e619615858d346c334790a608ffe9ec980493387b06d774ff9835807b7712b34197dea5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    422e51efbfe9dbae5e0289de0e28461a

    SHA1

    49461f8ec7a7586a10b8f8119c4ac0847b7e9016

    SHA256

    c63b5f21f351d52ff864d5dc97aed42545432822e032c7116da3d791617b8bfb

    SHA512

    51f71f2e907e0a95bf6a3a9d36bc2124dd76ed1ef3c32520e42893ded7e25ebea29ee93138049458d18ebb2233afb551aca88d61b78a10168795883d700adfe8