Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 05:07

General

  • Target

    3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    3c3df56fce82282df4d0f01614375ee0

  • SHA1

    b2aa605ecb3851141ed386e1d8913c6116ad8c4b

  • SHA256

    f069a0c13ca5c87218abe3c18c44716cdb39fb37554720dc01264897b4ff2048

  • SHA512

    7ddc404b57eb95ad7485fd3700470ebd3e2441e1b87a8a9409174eb786f0455c8126feebef856acc71b5334eb8cd4c8576f7ee6b419f002a1ee77dace53ce381

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2604
    • C:\SysDrvGD\adobloc.exe
      C:\SysDrvGD\adobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2136

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZ6H\bodaloc.exe

          Filesize

          4.0MB

          MD5

          b4e7073f4802ce1a6bf970b42a524ad2

          SHA1

          2363d714a52bb2439cbf48ccfbbd1e29536cfe3b

          SHA256

          d0fbb44f041a1019890a0633c8ae4a3715ffc1c135832b18a62aa0d06ca73f50

          SHA512

          fd0f9588e92060d284ba69e18e7e9033d138041b51fffc6ad73b5e5fe27f44655982d943550319aaf122dff540611c5e1e511b0ddf12b15f7735200db50404f7

        • C:\LabZ6H\bodaloc.exe

          Filesize

          4.0MB

          MD5

          3746139f59df2bf83446ffc0f4bdde87

          SHA1

          d76e0ddf5f3e0c51b9f0f7cca0a4558e1f2c1b53

          SHA256

          777e02d38f089426e9d0fed1259c5aebdaec2b25b681cdf5e72bed17a9d27574

          SHA512

          43628512790448acb49114e85043e36e3b28284974c164c04007ee873968ae69108ae3d35a9f26ad15a1f38add64ab76f51875d21ab376a3c8c2c910b08847c0

        • C:\SysDrvGD\adobloc.exe

          Filesize

          4.0MB

          MD5

          b5f2c4f840e58fe7dbb9929b7828aca4

          SHA1

          292f3bc411f713a0625510f0da6f573b603e353b

          SHA256

          a57a01e70eae890153ba686815353084d1bc8a65427c447d1e0f17c9b9eeb9a7

          SHA512

          da5606726bedfa724640d7eb577495f574c7c04e9e53bd39c2c722cb83753f9be4215dcb48a3f67bf3f4ac39f69dbe285fecd1f8a6302b2146bbbf99b6d50ea0

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          e67a20773f54763c2abd62dfd1afbac5

          SHA1

          e8aa226f23976a38d29ca80d7cf41732b68d8051

          SHA256

          b515e0725c37dff5eb773be0ac3192614b5798d46a352a67f434fff4f11564b7

          SHA512

          a8a9cc8d34d2b5aff344d8292dd8b4b30947c2fb0d750dd6d701310f395ece2a270df25043b1adb9e6dfac36576908779e2a364430eb40f9bedec991946d3255

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          dda27ad32db4a85ccbe27ff6e3fb960e

          SHA1

          644175d64f7e41b6fbee0eac161263244247bb0f

          SHA256

          22327df47c7c578c798729697f9a92130698ecb529a8bee8d250ec056d20184a

          SHA512

          4b95424abafb8d8446a447c134c432963130b14d056c373a5ff4df8d949e24dca74e79aa496e063673665f5043f780f834e8b7e8a8f2859b03026ce53e1057c5

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          4.0MB

          MD5

          400df63cbb09dcf7b37fa37a57a40a92

          SHA1

          ef98ee73e3d387bf97bc7db85a6d05ee0a196aec

          SHA256

          4fb7a8c7497c5f32e1a98a49a404a9024804cb46ff0236bcceea1e37c60e623a

          SHA512

          537266d6f6f12a8c4392895c1c745c8b46cd4f9402b27d30b247e8964f76e41be4f31fa2f06a4245a57c27c058dee41b1ee6b7b1c8a1563f8940b7c3f40de953