Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 01:36

General

  • Target

    1d604908f917403385d726c694a8b040_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    1d604908f917403385d726c694a8b040

  • SHA1

    9c5a6de198728ed1659409e19ffa2bfab9c7e438

  • SHA256

    0dbeefd31c074d4961a8aee9bee33e3543174598a770561d0e23f6d62bd2deca

  • SHA512

    142af2de8fc29bdeb5b5bf05c1848495e8c4fc0d391e0c7923159c20f3c2db95e06c773371bbe09330ffbeea6d8058560db6f609bb950f27519cf3ff351d34db

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1112
    • C:\Adobe3M\xbodsys.exe
      C:\Adobe3M\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2100

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe3M\xbodsys.exe

          Filesize

          2.6MB

          MD5

          395331e434fb67375040e7c2d52cf206

          SHA1

          6e52480c2b3ffb2c807d6e9ed0d166b1d0ba3707

          SHA256

          db9a94c81273ee8eb166c673c6cf7b65d0aaad2b4e6d9795cc51e691c27339c0

          SHA512

          22f31c55700c6ff59102af26263c392eaa0cb4215a2ac853561a94415823dba78be982b802b7b7a34d59b8682313df155f1e6fd6df1f5682932cc213c83ea208

        • C:\MintHX\bodaec.exe

          Filesize

          2.6MB

          MD5

          4d750cd571c5bad3643f9c9cdbe747a0

          SHA1

          f3d1714f5b10ca1d5bb01339ec20961e7be83320

          SHA256

          e93d2ff3806eb9226cb152c62bbaffc42a7e155f551575865dfff64aa0ae34e6

          SHA512

          2d1b9f13c5a3d3d88727d1e5f2c765336fddaf3df6fa33aa1034fecc002318a0e9369feb108635ac17761101913ac4285c75ad3c12da6bc359d66776cdf77c5c

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          199B

          MD5

          e9fb1d686f50d35dd3b54efe9febef2f

          SHA1

          381dfb472486c3c73292625a978e0ffffe0bd9c1

          SHA256

          78f8b13436cea1064694af9e23e568e008c6e5c73704aff94bbe4753476b87a1

          SHA512

          12479cbf1578888c23dd66094781f47ea7bc9e499c9ea521eae03fffbedbb3d46eb0283cf0121ccab656656d7884f7a92de87b2f9a829fce7b5f00163d185294

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          167B

          MD5

          2359deabeb0bcd118a9358b4f85230ab

          SHA1

          4f245d9c1a77160b7bff140dce7eb8a4b8a3cfdd

          SHA256

          6b06c57cea82f387fb2111e6a41f8a821e1748ed0fe2dc7fe5feb1d099ffc778

          SHA512

          06ff1ba8a2e47405ff0f92a28ab2fbfa87b565d283ffcc9882e81c51f51b6e527db3933fd73d6f5f8c525f0fc7a74ed92a39d3ad0d7df5706c089bbd947b0308

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

          Filesize

          2.6MB

          MD5

          f4e39854499a01189ac56d6f62ac207d

          SHA1

          58619499427209916576dfdb2bedab80bf038514

          SHA256

          538a27b7cd1afe90df16bb1db4d24c6f2508f7f5127ea29e576a58664399d027

          SHA512

          48117cb7db55ecc6780f39aa5d05690d614376c3db550755f84d78a930a02f407b59cd76a468915fce623b7d92cb72614f724a2cd3fbf6e8110cf208426380ce