Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 22:36

General

  • Target

    7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    7812552ab69315d1846232b2802885a0

  • SHA1

    03009a8dd7983504158f7b3db570275cdd3034fb

  • SHA256

    8cb8e8317e97f9cc32f42b6d3ec3245c9ea032af1bc139498773d8e9636a22fc

  • SHA512

    2f03cab1d20a4f715f97bd04934fe2b3040e7c506c8ad38fd4b7f327f4243a60356b22face80ed6132c80e1e3389f871ffb536cbd5d719bd44be53cae4118346

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqz8:sxX7QnxrloE5dpUpcbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2420
    • C:\SysDrvXF\abodsys.exe
      C:\SysDrvXF\abodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvXF\abodsys.exe

    Filesize

    3.0MB

    MD5

    227ae3b17b3f9143121c8bba26367dad

    SHA1

    ce1843d996e40a0363fa9eaeda7f5a2cd3bc7a49

    SHA256

    e9f9f2f5a7d87b48b243df85984daa7e3c83a5c49956ed2b23dc99db74493649

    SHA512

    63c373534ce750fa5ffb4635e2e19ecc3f6c51b7081f7ccb289eb5ff777448a3426f30aa9bb845c1f3505dd6d639af964fb1dee81f15542adedd29019206acac

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    6d949a9b3899e7a9ab231041d70a9080

    SHA1

    9097f87cca17c84b4704ead3d12606036271d09c

    SHA256

    0452084b0d44972f4623cbca011dca6d01e0300d5469f5d3c985b4ee0b1c31fa

    SHA512

    da7f6e86fa077c69657121fcaad9198b0add42dce6f1d0fd362f28ad200219c91c6d6e7f2f7da08c9e204fabf3a9afa61a37a7655c1e9818c48438cf55a8e3ab

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    461c8d513f979b1d4ddb5d7d1ad6cd48

    SHA1

    a1058425371677703145eaf38aed7815a5910cf0

    SHA256

    eab40afde7367658717a9e8051c047a52df1283db672fc081ac87e20173f355c

    SHA512

    82c3ff71bcdd1c3c205bbf0a7d3293c0e7fcdfe54b430c331eab2d981ba059a1c03c98b13364d39565c8d06271d9dbcba24f6be2d0d5cb808ac878042bed3641

  • C:\VidT6\optixloc.exe

    Filesize

    3.0MB

    MD5

    d2c06c317ce690648b68788abd0fa13c

    SHA1

    02261a0589ecc3cea53d6639c54adc41073ce3ce

    SHA256

    b4215f81c53a05fdf9f21d2962f1b7f38da26685f98a6945573112a3bed1accb

    SHA512

    e620553f50a8a0ef323a535f8a714b468130e0dc0495dd75c1892324e462604ae87b1c14438f17eef20d40d057fcb67a8127bb299e676f7339fbb88e3e368dd1

  • C:\VidT6\optixloc.exe

    Filesize

    3.0MB

    MD5

    6bb891bd1b5fbc8a0d1b041b57ffeccd

    SHA1

    9cdb8f739f9f7becff5e5e2fd052f012881766a6

    SHA256

    872b23a382e31921319f24a14556c71bedc2ade87a70e280546cd19778ae3b8b

    SHA512

    7f34f820724f8b458ec393782a391e50529a622fc8de4bfb0ebff6d4fa7e03021dd2b4cb802989dccd46b84318ac5237c77ce61e3aa15afcb787e4fbdbc9a19b

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    3.0MB

    MD5

    5c9a9c502f8949fddf991399862f24e9

    SHA1

    0c1140417266fd9e1574c6240b69c717fd05ae97

    SHA256

    61b7d46e9047c5a7ab1d1bfccc0a6606652a7b360879e81af2f0807c7b548936

    SHA512

    1a9b0f09e1a90cb64978eb2e258953e15a38f994a8a025747607deea2f9b280f77e99877ce7e2ed78845b7a52afa0b919f68a97d7d157dc66fe822b4d5489823