Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 22:30

General

  • Target

    7708296758770825dd203c43b4624550_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    7708296758770825dd203c43b4624550

  • SHA1

    b14636f2b188b10111126620f78646ebd1dd883b

  • SHA256

    99ab8c39cc9545caa98e3735828468242e9fa40b34669669144e2ce252839d8c

  • SHA512

    e99bd73e6d4a7b5d89759701b5eb94dcb6ef78e389ad50111f925b1bdc8cf8060922ef23f771e2b106ed67d0b286da1f86ba9f11456e150420623af92c848b89

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2648
    • C:\UserDotTV\devbodloc.exe
      C:\UserDotTV\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxDG\dobaec.exe

    Filesize

    3.0MB

    MD5

    05e72b07eb4af0df1049aacd39b3f180

    SHA1

    ebb6727ce351059ef9bb672462c173ac5466b8b1

    SHA256

    440422553fd39eeb18b6f223a93944d70369b1ac209bcceb6847bad44715d193

    SHA512

    a8473742b5eb490ac046fb3d5220e59e4c023ec3eeb8891725c059a290f51dd94d6fedb9d5c8f3197dccc6a64bf616c85cf5e7b12c55fb5609dd0e37a0cc4018

  • C:\GalaxDG\dobaec.exe

    Filesize

    3.0MB

    MD5

    de64d349479f69b68610895bbdd8bc55

    SHA1

    26ca7421ef1c7647cd51c68b3fac92b3393213c6

    SHA256

    cccccbf6106dba278596b848891826eb640e945280438323d771768137e54379

    SHA512

    b70bb5919a35129099f2df34a7be700b3dd8ae2d82934aa083cacbb9724c73756bc66d3dc86b267a836051476ec7c135c69c7cc695e61834d7df090bbb53b4a1

  • C:\UserDotTV\devbodloc.exe

    Filesize

    3.0MB

    MD5

    c000603fb33208ee88647981798e4762

    SHA1

    1c4251d64addf30017ed66d1981e46c251717139

    SHA256

    79776fbf17f0129380b9768fc4c711d9702e033fb79bce0efe4d9c18fbd35c7a

    SHA512

    9b59f7a9bed7508320160c8c589a9bab72c8ee981cef2c056434dec1750f77702cde98eb8b504125158670ec27216ac5770af685db655f85dea6b0123682eaef

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    be259b90fcf3c1ca2313f7509949ef46

    SHA1

    1aa5ca8d9f3267e9df1b66612c7010c930be2d5c

    SHA256

    009790ab4203d870daac86e2e1dd66f07cd24360a8633f307d1db2160cf33233

    SHA512

    4d58f4887f60b6f148987711bab19446ba8951db4c5ce7ccfa9d206cdc82bd3f3c9093d87bf998d2de08322a8f7db5d01f77515210a48222e8d8cbcb76820220

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    87b6bcc461dfe9df391f787e0b69a436

    SHA1

    f6a492d9404b62ed47d568564d5e27b5bb7e90df

    SHA256

    78f609a925912342db9d6eec4acfd094b5acb762275af5fd99f8b87fb45ec4bd

    SHA512

    c0e5c096272b781ed2c726acafa1c6f1723dd4008e2cfb4108bda9a3c01e531d381ab0e389b40f6b9de8590c15cfecfc600bc2856fc503463fc6955e64ee69cc

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    3.0MB

    MD5

    1881c5c2a75c846029e83ebc6bec31c6

    SHA1

    2dfd6db8326c61818ad5034f346dc7131afcb3c0

    SHA256

    a5a6197bfde772fc164089906a839dfda0ccc43e32a75ca5ca962856a97b2653

    SHA512

    33b26c0f773c1d84083b99b68c751edbfe9e8d3b106415d453059ef3ef55cf406936ed78d14664f895e5e378e0a7ef10595c2c7ba7cb06756f6643f488460dbf