Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 01:39

General

  • Target

    1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe

  • Size

    3.9MB

  • MD5

    1dc8ee51bc2ea2dedbdebaa13f155160

  • SHA1

    353342a43a29fe2c309e0ae6fc94c597fcc96bc9

  • SHA256

    c03c26b58140e15af25e6f1354e61f87f1e2b55c60b7480617fae2149942fc67

  • SHA512

    ad83814f67e42188d6f6a951f7ab20a083d07553af03bb0303ea958d0cce9a518373b64d7e249ab697b109ea43ef5ebf366f1acc86b6704f57188de03fac067d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8:sxX7QnxrloE5dpUpQbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2656
    • C:\SysDrv9M\devbodloc.exe
      C:\SysDrv9M\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2640

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZSX\dobdevec.exe

          Filesize

          3.9MB

          MD5

          e3aacacec53011b6206a9c3fc1ffbc58

          SHA1

          9f49330b81c96e79c03759b83ed706fae399e4dd

          SHA256

          4594010f9028d13fbd9e1c085de36377bd4f1676093cae03bb0a1dae81dacf9f

          SHA512

          f5a6739d266e4b5afcd3eda533faa581a273d99a479a1d2f8fc6b19267e99f3aca0a696ec518d39c523426a4397412e2ca48e899527c65b8d450430850e147ee

        • C:\LabZSX\dobdevec.exe

          Filesize

          3.9MB

          MD5

          cd383c013ccafa6df1d0e74ffc344cbb

          SHA1

          d58732279c4a3fd08774abfe99f3e20e152717a9

          SHA256

          523a5fd2479a2c6f1018aa8fd23859b3e277e19bdaf7402190031026acdc4143

          SHA512

          ae4b2ce785196e506a7209b31ab56e7fa36ae09e2e0cdfc83da2e76b1fbb416da294e9a36367378e8089e7555e7fb77369d6cd779418e212a3da1f0366a40a73

        • C:\SysDrv9M\devbodloc.exe

          Filesize

          3.9MB

          MD5

          de93972e078c742e067860a4cc04872c

          SHA1

          4a752e442b8b446ed6f79682a215993ffb9a4a47

          SHA256

          f9ab2c76c5bfe850108ded22ed29e8fc7fb158168709fd5189dd379fa3662cf0

          SHA512

          b4c92843547e4075a35e08ad86aa312829ae413967b6c4269bd808c6948c454a20d6c31d182449d49b98bcee60717893e673e075da4965d66497b0b6326f8157

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          2864ae6b3fc94f45711f434c0c437a98

          SHA1

          b8897a729a358dc87dd8566f6882e2d7398d921e

          SHA256

          476f3b3c52379502b4bf29517aa72c25963c5141ce298842f8708ca641f32ccf

          SHA512

          75966a6fa4b54581ce5a2e0d2d4ff9cf0645ee5ec8e13ae0f09c4521a05773c2ae9f2278a36df44b6ec712843e25161d51621683a38eee7c8b20d5bf0702b340

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          fb88fa4fe6ae30e1a127920aaa78adda

          SHA1

          bd74540048e9ef6ad220de51ebb7a01d8bd49796

          SHA256

          3c56d13873a6d61a494f744851f1cab460deb1befc8b6f4b295c28288e08529a

          SHA512

          56cf4cf76ae44ddffab0dec6896ffcff34b2837f4659957ed1cf4961b0c27adbcb3a622aa9b8ff123c776974c1d1db61b4dbedb7fc05ff89e679cada97b849a1

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          3.9MB

          MD5

          47a5fef988bff37b15c97d3f9834eebd

          SHA1

          3908fa254443805456c9959550dfadc60909ee94

          SHA256

          71a36d6cb306a3680297187e8c164b25e6481e179fa0cae46c9ff822148671e6

          SHA512

          699b60a0c6100075b7dcea12eab3357fb25dd7508675cd1e3c67b7d7a64ecb14cafc795073a1aadadb0f3db26ada77ea043ae8b40ed299642d7474c6c090a55a