Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 01:04

General

  • Target

    18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    18e4b311da973f96bdc5fa89bdb1f9f0

  • SHA1

    ab892e53adef8f72b9267f22d00be349566c1d40

  • SHA256

    ed8e54a4324ea0f52a9102821073aa15bdf95933054af5dc5d3d15041a11645f

  • SHA512

    c4a3de09ee46894960d642486968fff211b3b0eb6bb32c63d0a8997e031c0490c435ccd7a9d3a9620a371c4defdcf7e0648f84ddbf0798135bf85ce5d8d28e60

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2156
    • C:\IntelprocZG\adobec.exe
      C:\IntelprocZG\adobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2272

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocZG\adobec.exe

          Filesize

          4.0MB

          MD5

          9110bc1fb1a69c2b6e9bca6fbe0aa852

          SHA1

          d3e96a4fcd84170209c4787f3a43e26017128d14

          SHA256

          af20524c8241b834890aa4ed85952fb15fcb6dcbaab63874998be8c51854275c

          SHA512

          e6b6edf9b2a8d3d7b93da7b555251968dd02e6eddd2a19f30051e47651175693105974c85a50afa301af8a5c5011ff165eb3146e78a9d7694a166434f9b44f7f

        • C:\KaVB0Z\bodxloc.exe

          Filesize

          896KB

          MD5

          ecdff8b5d350ea77023b757b2e1f7bfe

          SHA1

          4f3b52658bab4ef7b63b4187613263c67270b9e7

          SHA256

          1494a0e0c08d9846b7496dc009cc357611448afbde0eb022a2c71389630d0146

          SHA512

          c475a563a6bbd83bfb039bbd8448547e70b781730c4718c2e88868bbb4d6c7f45034c50a471b5269ea1835b3756e58e4898fa2b4c7e67aaa8c87a9e2e3de7388

        • C:\KaVB0Z\bodxloc.exe

          Filesize

          4.0MB

          MD5

          3f744b30a4ee5b80c3be5720cc523deb

          SHA1

          3e1eed86a6fed1426df9a33a7d6f083edecddd33

          SHA256

          5ace8485469604d5c456e2cd21e4f8fc0749873762c3d630268211ffae516d2d

          SHA512

          3a0f8210eca7808353f8c1ce6111fa1c40a4a4d2a5dcf8478b2dbb18073be843a3b0eed7037a16fa56c86c50a33fe24b8ef0438afc10bb5e1033b0091ff1632c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          1b06bde66e02432e32306ae70e672fa9

          SHA1

          aebbe59dd6f2e0ba5b0328897fbd38e5dcb59f3a

          SHA256

          793744710a3a8ca600f86f1c460265698f3a36ea21aaabf1e82b326ff05ee52f

          SHA512

          f12156dff6feff0e585c11acefdd83d2edec0e93f670d5469a075bc22190c0553da15e0869bca5f802000c3ca645d191c8e2b165337ab11c80ed2fe0019fc26b

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          a011db449559d8881d912bf4aeb77964

          SHA1

          dabed9e135a364fc2c88e2c38658d6430fcb900d

          SHA256

          e6b48a8eda8535be72d6dfaa0e849f51f205453e46101ca8b94222cf117c2039

          SHA512

          5d89996b97c21f41de15396f5909dc110f723da598338ff08ee3333e2ded5ef4e5c14c420c4f65e5e5f4ef97a28304bd09110520c8ffcebf95363d553ac1c645

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          4.0MB

          MD5

          87ce960f9580d5e85148f6dea35d967e

          SHA1

          7bef8a6ab6d1eb58bd22b017859c1347aac1f84e

          SHA256

          57ee7c7cfce319ff7f3b4f939e71a6632966fb413ab4eebff989dfe20d84c902

          SHA512

          85d44a2ef0adc6c542dfac23f9719590cd6c9cc3dc3489b4602767615ea0587b18b20f29331b9fda9c31d341daad6357f12fdfc2b7da4622085a394dd1e59e52