Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 22:30

General

  • Target

    7708296758770825dd203c43b4624550_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    7708296758770825dd203c43b4624550

  • SHA1

    b14636f2b188b10111126620f78646ebd1dd883b

  • SHA256

    99ab8c39cc9545caa98e3735828468242e9fa40b34669669144e2ce252839d8c

  • SHA512

    e99bd73e6d4a7b5d89759701b5eb94dcb6ef78e389ad50111f925b1bdc8cf8060922ef23f771e2b106ed67d0b286da1f86ba9f11456e150420623af92c848b89

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4836
    • C:\UserDot7R\abodsys.exe
      C:\UserDot7R\abodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBG3\bodxec.exe

    Filesize

    400KB

    MD5

    8de603cade6c67d6f6d8b0bd5e668f96

    SHA1

    8679939808188f209f7862c5d80aa5e0da96d386

    SHA256

    6a459c064655d7488dd76e02c48fedf18b025561b83c2670db5a62516bb65d15

    SHA512

    3175948953d0aaa2e4ae8367198817296d32670db8591ca1f770fb323a314c2b28e981dd5fc556f2fa19fd9a18d8174910ac431e5378cab830cf7b80ba41eb42

  • C:\KaVBG3\bodxec.exe

    Filesize

    368KB

    MD5

    9e11a956e5300fcacf192025d7b1f995

    SHA1

    80f9d7f3be45b50d0d03d4c20e3bbfee8f8ff24c

    SHA256

    1c73f0e6c59c39d932cda4654dabea7a53c967a7bc31541ee4166ea5b907430d

    SHA512

    75c500c8720504ca9b51949d10d36dcf7975c7c9649ed056b197d8ec9009e0ef84c3c2b51d45a8b010e794dfea96f7be65095b5e90eb547d381faf12fbfa5b46

  • C:\UserDot7R\abodsys.exe

    Filesize

    3.0MB

    MD5

    97ff59b1f3d5f593812597013017d47e

    SHA1

    85248407a6801e287ccf29412988f00257148186

    SHA256

    317f89793471fa03b2f3827ecede87c04426648dad30deb73d602ec4610068d9

    SHA512

    de58c6660182e3d74fb6d850cb5191dc2eed518c2c7b487bd13139d3031b6612f4a509ef8c4b69b3cf9d78046f6fc2582e956f4b58cb37a976e3d1388798caa4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    00737fecef8050d9a8a1ee3e3f404178

    SHA1

    b24a843d6cdba743c44456fd7a8de9234f1b2ccf

    SHA256

    28e46bb4f824958182e1da69171e5c4ca3cf3fec6861508df064ff1abe6b3aea

    SHA512

    139dc2aea93ff8e862d2a06c2fadc9595da3ee136ed69a57f083501bb1e89cdc714da76ade418512f47e812833746a2ffc800b665db32d2840f355f5af3927d1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    4e885097337b8c2060bd5d181f0662e1

    SHA1

    764bd332b9a362d1ac3791d95b8cf0b5b57f85e4

    SHA256

    503de247d85c785df64b0ae7d47aedcb0a603b0b28a516807a0e1ebd47b0f364

    SHA512

    04b4be475b32ee2e5ff438b6d4b0f0a1665e0f6a7a3319daa0ab96c3224f8984093d25f423d4779eabe7c43feafaba8a1cbc655e32df431596dba11b15db5219

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    3.0MB

    MD5

    f51d8b6730b274fc031482c81bfcc70f

    SHA1

    001bc5f12b361faf4b6684ea9b4606b5fab0f770

    SHA256

    6a49188ded9739ba01aaa64ffb2bff2fc90f586fd446dc7d549297fa6ff6af8f

    SHA512

    4f3731d03667b1f6712f32a7cc0a111d5f03a751f0d048788caa81e1082f4c41b9dccb398a38a1fc5c71d9171dd78fd154f9eb7b092c0cb4d407f139ed672817