Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 01:04

General

  • Target

    18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    18e4b311da973f96bdc5fa89bdb1f9f0

  • SHA1

    ab892e53adef8f72b9267f22d00be349566c1d40

  • SHA256

    ed8e54a4324ea0f52a9102821073aa15bdf95933054af5dc5d3d15041a11645f

  • SHA512

    c4a3de09ee46894960d642486968fff211b3b0eb6bb32c63d0a8997e031c0490c435ccd7a9d3a9620a371c4defdcf7e0648f84ddbf0798135bf85ce5d8d28e60

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4180
    • C:\FilesOH\aoptisys.exe
      C:\FilesOH\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2024

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesOH\aoptisys.exe

          Filesize

          1.9MB

          MD5

          f174f3a13923af4f86158675e1f78c59

          SHA1

          4b5fdb20a7b8db69b2cacf573ebfd70a7fb1d727

          SHA256

          db860d6b861cd1195091157ffab3c609f306552683cbc4044f5d8a61e0934fb2

          SHA512

          5cb013f8ed89600b8faf2bee85f9acb71c41ebbc0e7cca9d512b846fa4a4889d314716193bab08c4d94c7a1e1171d575dc0c590330744e2b344ef37be93d0e0f

        • C:\FilesOH\aoptisys.exe

          Filesize

          4.0MB

          MD5

          4d7897cab0d40c5d073313fbc39472bb

          SHA1

          8a763508a9df9847be89f93cb1c401f3583b8a3f

          SHA256

          98985c258258b188ca917f9c3b53d0436bcc6a76ffad44ecc2988ea6ca2ba444

          SHA512

          1c14522049917b57d0dfababf5395ac3c4531f8b30e01a32bbb1ce7e6197c525624f5514170e1f8b230c0ba2b60e22893bae835130b58f29dcbbd6979cd9f1b4

        • C:\KaVB8R\dobdevec.exe

          Filesize

          4.0MB

          MD5

          51110fd08d8808dcd8005334efc0fb35

          SHA1

          1e53ecc9a55e60c4248894e860f57f3f339d5fcb

          SHA256

          d8bafb60ffbf5d6363ab96930afa42e999096856887af056cab4a01a13a7a96b

          SHA512

          dde3cec0c95b488d175a34e8690b2c76a19f8e1f0a05957a6943e5ec4fac23c8495f1d2cadd5e64ebe952f3698b932ea5503f7dcc7d840cc2df8b70a362a61e7

        • C:\KaVB8R\dobdevec.exe

          Filesize

          805KB

          MD5

          9de3732d89168273a208fe06e03cd8b2

          SHA1

          ac0a6e4cd5d45ef7900d99685f898b7948656ca1

          SHA256

          c1bf19d73c380f7d05a728b1d32545aa938fab9a4a9967709ef5151f8fec035f

          SHA512

          e82d07f05da07cfb74637edae4fd85e8ca663a69c5c8a3c836dba4464400bc679e99025c9b71f03cb189f4ab66185ff107271f9194c9d0ccd6c00a4a0ff70496

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          fa5fb7767c2d07c19bd3b697680f0fc5

          SHA1

          0ed227be570e06a782c6289bc35e3a90e2ad8cfc

          SHA256

          0c60b70960d7d075eb7124787d3631b0af1b07980f787f04c2e72670c0b3136f

          SHA512

          84bfd9974b483ecbac568fd4803c9b0cade277cea108ffd38a4dada0c4791f3742f73c25d38397999e5329d75c5e5c343a220c57706c617e5e729911b1728648

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          792cc3ac79c7635d2f3c1d9aad57bf84

          SHA1

          8fa624b7b2a4855252ed44f44066028b039d655d

          SHA256

          cf8277cfb5633b2d630a28a4b556cb7ff6016c35329b9b8a8197ae4271652b9f

          SHA512

          1484a96c81f5ba04620908596156d0bf0970e05d7929a59668b5737583495c4d6c34f7d9a39302c6c4c07c67cedf1691ecf8b6685eb5c5d6cc3a83ec22463abf

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          4.0MB

          MD5

          766ed5059fd8fcdfb2a51c72cc5deb3c

          SHA1

          985f876e47fd4149cbb4268c6c886369d46d7a54

          SHA256

          1e30bbe43a8241393e051cdcd561c6097d8a0fb946ff94282bb8c5a6bb4146eb

          SHA512

          20edc4b1495e4dc7fa4c5dad7592b782d8c57c9d5dc8683d17220ba824561e5556298223ad4f6cb060f417e2bf43bd4d26d1fa4a375fd87daf758aed1d565153