Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 01:39

General

  • Target

    1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe

  • Size

    3.9MB

  • MD5

    1dc8ee51bc2ea2dedbdebaa13f155160

  • SHA1

    353342a43a29fe2c309e0ae6fc94c597fcc96bc9

  • SHA256

    c03c26b58140e15af25e6f1354e61f87f1e2b55c60b7480617fae2149942fc67

  • SHA512

    ad83814f67e42188d6f6a951f7ab20a083d07553af03bb0303ea958d0cce9a518373b64d7e249ab697b109ea43ef5ebf366f1acc86b6704f57188de03fac067d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8:sxX7QnxrloE5dpUpQbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4812
    • C:\UserDotX7\xbodloc.exe
      C:\UserDotX7\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4360

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Mint5X\dobxsys.exe

          Filesize

          3.9MB

          MD5

          4ab1617f6384487fefd4f267d6dd514b

          SHA1

          a1181215394cbf7a442c44d0ec42e4812fbffd3f

          SHA256

          60d8ee8adece0b266d87fbeb59fbaadf35324a0e4cb1bf879035dad99a85a2d0

          SHA512

          24b33c25742524d2eb5bf54207ec36bc2931110497aab599636d9148419cea88690de5cf35ee990be28ade07992560e428265ece577044a895ac94c149171eef

        • C:\Mint5X\dobxsys.exe

          Filesize

          282KB

          MD5

          474e813e61c6aa0fadb5dcd242dc4743

          SHA1

          0d35606140fc0b84c6e24e54a605ae45cd096c42

          SHA256

          f0ba49b3b32532b70c1a3ad65437c6ee09d0580c39cc279f1c51d3669a16b3b1

          SHA512

          d97831249202dc33968e50defb6086459bae4ed7b3bbdc4d9a565f26cdf9bbaf65b55ec83fb075f15437cc05d869d4a52ae1123bfd38cc486813e75cf62ee931

        • C:\UserDotX7\xbodloc.exe

          Filesize

          1.7MB

          MD5

          9144eb248bd8c9e02abcd2e4b31085cc

          SHA1

          898df30a81947bafba526677fa2002de09f7f738

          SHA256

          7cffdd9e8279fd1a64d94a1a48fd0c4300127a2e8b442abe2c432aceb6fb9da2

          SHA512

          a9274d7c0d3f43491174585361217a920ae45a912b67b783edf8f95110e2b0c680006f4bf8b6fca3792e76c9bfdfb544ed31b57a95d9f94c71d9b7ded5c4395f

        • C:\UserDotX7\xbodloc.exe

          Filesize

          3.9MB

          MD5

          aa1febc73bfa0efc4c4043f06aa6630a

          SHA1

          7f8cddd68581b340c4865145f4292bae161747f2

          SHA256

          62e963e5a763f0763e92197413445526a593fe5a2bee8fec2d10b5b090c07361

          SHA512

          2ef64b2c5a6d9b9f04a70eb8de3001307b52c4699986bf406e589e0c9bde88f2132b9449882e2eb0937814c31694fae3e94f63a696efc98358cabe4361e251b4

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          189df933c9479fb6a2ad5d900b304c1d

          SHA1

          277049bb0ee37941cde4f81afa16ef53a27a682b

          SHA256

          31d320972d293e32cf22807c22d6f0592670086480d9468f09beea33c7227b42

          SHA512

          6411b5c69ba3cfc94388c3ab1bdfe1e1578963f7004368d43ad21881f345b4a5669fecf008c90fc5bb6790cc1ac5622ab6684eaa9c167e3b5238bde189f58d85

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          8d433c1d6567631fa6fb3a0052a9a062

          SHA1

          9c1528c8426cf5ab24bc7380c10e1d316f07210c

          SHA256

          670911d13e3ca28087217fbfb0f0ff6a030b27001fc79ff0b8aa49dace3e9d9b

          SHA512

          e2f7d44507a5c60ac3494ca47b556dfcac0d76d5cca13362724fd3f581caa8d18399127557e957d5509a69d1859c71a99df2fdd7f8a50dd379b9251114801c81

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          3.9MB

          MD5

          b4e5700f7e5ccd89e179700c58331ca5

          SHA1

          ca35b2560e2c127c3909cea033561d3f2d55af11

          SHA256

          25cbcb7acf1184ec9fa7d7e733309647ee6690e5d126e936f91a0d584c036aa0

          SHA512

          ec1f9d85ba5bf483f106cf3c369c14d1f17b2cd277d5cf638b859470d2ab7d6c9271f5d1d2dc337f8ce6f8f3cd474d03189a701c7a77fe3d74cb4df61117831b