Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:34

General

  • Target

    9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    9d4ae5ae39aa1c037118fa15b464dc50

  • SHA1

    048df40460e2574e3aec0f580f1b30e6ee46c881

  • SHA256

    2592cccfbaae2a195af5035ecacf092a2d01b491bf02676ac26589efca2a5243

  • SHA512

    488bbb96e5ace473da42726ff0e18ae41cdfb1ff061815a6b76a05d370935e9e45452e746a9acab8bd8a0a3dc922948286da2168da5d1db27e7edbbbd7261b22

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUpCbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2320
    • C:\UserDot12\abodec.exe
      C:\UserDot12\abodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxNH\bodxsys.exe

    Filesize

    1.6MB

    MD5

    9248625cc2eb983215a5cebf4640ba47

    SHA1

    9d1afbbbc4bc5efa31db298892b3e795315e3803

    SHA256

    782c90598a6c938f2b249fdbe0019b9cd2da316637d4e750170dd258c527647d

    SHA512

    4c37ec9eb3ea55cc04ae4884e38de624c1054e35f430af009ff2eb8c3822ebc5a6470d4a254b782183fccd869a26ad09d2dcf7cf987a095d30af804cec9a7e40

  • C:\GalaxNH\bodxsys.exe

    Filesize

    104KB

    MD5

    33ecbbc71cb0f5fe6e00e970327721df

    SHA1

    39bd3fae9f1adab08a41becb2881b34d09cfd595

    SHA256

    70f38bdbcec215cd5ab203f358ae1052440d21634d2e2fd590ebcdc43bbbdbd3

    SHA512

    8dbc8251ddb94311d0ba7b0845390deec9b91b6d257cde4916fa4d5fa16f3e01722c2d078826e9f90278bc30addd432ce7ff74b61fdbfb987d07080582e6dee5

  • C:\UserDot12\abodec.exe

    Filesize

    3.6MB

    MD5

    c7cb620e475af87fa807834e7be637a3

    SHA1

    45d18155ab6664e924077495edab38c73e85b568

    SHA256

    bf68beac71d89859e232caa6785e23fe10d423ae92f46eb343a8261a7d51d7a0

    SHA512

    0a1eedfce79d696c9d3d663fc89ad85b2c00349f7088ebf510d3021236c6e02de99fc6cac1c7fe79a299362d4b0db446c050450a0f0377d339e6f8c2d4da1504

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    1499d50a9c97f229f6f53046d99bc6c9

    SHA1

    751643f2376fc6d588be80b62dca196fe2c2d566

    SHA256

    8394145971bdfa4ef1ba3ade296905e5f4168f5477fbc30aa3c066d4fc8c2fc5

    SHA512

    98de345b5124e6b0dd3537f49ae58e6af3fca72c1ac45712ac6b6b318a31dc2857a70626f67a49fba46062babda678827ff68bc74c4fe8caa5cdfdc07d3f689d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    b06f698d243fc2c5776aa1622a8266f0

    SHA1

    30149de7a7c8037bdc4c44c62477d7106d654d66

    SHA256

    5e2bebf9efdc1a7eee2737ce1a963560197199d437141c54b81c182205cd4eef

    SHA512

    07401443b8bd4a60e40422c9d739e83d7dbed99d084fed4fe06e0f9be8ec8cd613faffff5ba2afd8c770603b45f75246e658d71827a139598d9b28eeaeb59891

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    3.6MB

    MD5

    9836c2a9c475ef9e6f684ec571fa678b

    SHA1

    f77be7cc7963ba1f0fb410a4ce859d8d33e8e364

    SHA256

    6c4b2f732fc6fa6a6038cf9375392d880b2647dcaf8d958de2f71d0fbae0da11

    SHA512

    506f29e81b5c49b331023347eee54367eb7ef35ed469c09397b73e4394e5db69f4e7f485273e328d04601032469975d8bd73c0120129097f3b11265aeaf40d70