Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 05:07

General

  • Target

    3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    3c3df56fce82282df4d0f01614375ee0

  • SHA1

    b2aa605ecb3851141ed386e1d8913c6116ad8c4b

  • SHA256

    f069a0c13ca5c87218abe3c18c44716cdb39fb37554720dc01264897b4ff2048

  • SHA512

    7ddc404b57eb95ad7485fd3700470ebd3e2441e1b87a8a9409174eb786f0455c8126feebef856acc71b5334eb8cd4c8576f7ee6b419f002a1ee77dace53ce381

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3344
    • C:\IntelprocYL\devoptisys.exe
      C:\IntelprocYL\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3744

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocYL\devoptisys.exe

          Filesize

          4.0MB

          MD5

          8cc47dd48e8dab707f7311aa39b107b9

          SHA1

          25d4492f5c199a445dbe0ae730b54ff9e371824c

          SHA256

          f7a6c5d7d14486c67f25dd7ced94afb16b2f7578390325a725c0e534bea5cc39

          SHA512

          fa70c94cce92175ee4590fbd981cfd73130416232145eddd07b5d95a1a09637f1bce0358c655fac3eeb72ce39e7d6f2aa630d3c9a93df478bba3bf3f4a7389a0

        • C:\LabZO2\boddevsys.exe

          Filesize

          2.0MB

          MD5

          2456e825ceeedb20f71206165d49e947

          SHA1

          890f9632fef2a6bf43a9dfd735746c09de658961

          SHA256

          bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

          SHA512

          970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

        • C:\LabZO2\boddevsys.exe

          Filesize

          4.0MB

          MD5

          b73e8bf8c333a1ad05e6a8f5c9374821

          SHA1

          e2efd773b0f6fb7c2cf3de19961d35c76f54ce2f

          SHA256

          6f833963eaf072bc92fdd5bc9e2ad3178a7f9a8778073f5bab30bfccfb4184e8

          SHA512

          f201f5e9b649447f6d65bfd89655b4d69a70e77b2cf24f709e3f27dd9a72d347e5d1d29d6c52a640ca7cf0c4843f41d7211e4c5c2110366a46ca786c0eb6f4ac

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          209B

          MD5

          a012c1e96f087446e3321d83eb909b17

          SHA1

          6fcb720c4205706e98604fbe61113077abbb7311

          SHA256

          e4daf790e13b6fe0e40083e5c5449af38e6d9e53762bc1f6133058c951196406

          SHA512

          144101c645da222c0f073a8943a4aa8a01f55eb4021b2402212680721a1e53f7f57617a42b34cbb3e12c98d35e48e7017f89b836313e2db76032e4e7b84ccc78

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          177B

          MD5

          c6b70840996d34cd20da84b7d85908aa

          SHA1

          d30f9ffabb2c1eb2cdb7c0853a97da6a68be030b

          SHA256

          9a1e413db6a9857f43d6ccfaea751e074cb405732fb396fd002f25730b95273e

          SHA512

          55d9717ccc7cf5eeb8296b7cd67894e06bfca941d65a5e56f5ccf03c7202fe262ce4c1bcda2c47989688c9c0bfd5d0c722bde1ef515ba4a45106a96d3312d1f1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          4.0MB

          MD5

          deb623d98fcfd9f39321ad81e817eeeb

          SHA1

          aafd974fa45375b560b29bf5ae6a08e83dea83be

          SHA256

          703d063f3f7bc93514e3efa7118058ddb23d874e08653955e89d4952557fab7d

          SHA512

          02d45457cbefed988bd9c77dce12749cf3a717024b44c50d395c82b093579c93e44a7f26563a33cab533cc7a6f29b6932506d821fb577d829efd8475ffb63e54