Analysis

  • max time kernel
    149s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:37

General

  • Target

    9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe

  • Size

    3.9MB

  • MD5

    9d5737ca0ecfaf990199410dbb7b73d0

  • SHA1

    da2b3dee7bab04a7177783bf15b39e04b183c5f6

  • SHA256

    eb45b1b1e94564e6e787e834b47a05992a334d8477cf310f387c35d87a4eab40

  • SHA512

    4e1ee09195d94098f03ffce5886451fc3d6f18830487467efc6bf210612aa13db013107c4fafa21e0a9d2676280c3ef3e952903b8f58aa529d9f290d81d7dad4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8:sxX7QnxrloE5dpUpbbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3248
    • C:\SysDrvYS\xdobloc.exe
      C:\SysDrvYS\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxER\dobdevloc.exe

    Filesize

    7KB

    MD5

    ec404dc607a7bce365c371372c732d22

    SHA1

    4d3414b75d79d8d911c3947e95add02806762e93

    SHA256

    8f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2

    SHA512

    25f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a

  • C:\GalaxER\dobdevloc.exe

    Filesize

    323KB

    MD5

    30d1b7f0e0e00a3a81020d9eb7175e63

    SHA1

    8c4fd2ae163063122acb913e5710d74531200b7b

    SHA256

    476e0991b0435f26db647ed5ad5d399bd2140ec037f30b144a6f3b413a6701f2

    SHA512

    65139f31d60d9ae3e5f25fb35d2975eb4316a1de41797e569e8cbba9ba3f98fc978dc01e22b5fb200e5ae984516226b78eb0bee575050f1f82942871f51ae1fd

  • C:\SysDrvYS\xdobloc.exe

    Filesize

    2.7MB

    MD5

    866ccb6675f47510b9434b0f6c55b5cc

    SHA1

    e06f4b6fbc958e3a10eaefcbdf889147fd8c5015

    SHA256

    f08144b770e4c72bb09f79284e3aa53a939b79221f3e51f72b35347b6d31748a

    SHA512

    36750b0f036b908ca8ad6229063cbee8372fb6ac5ae5722b22da06b5e22113098b41584818098c4062585be1eaa2b6787db80648eb60a53f1302a5e48007d529

  • C:\SysDrvYS\xdobloc.exe

    Filesize

    3.9MB

    MD5

    e75e16488a65f5998af9ea123e3e1529

    SHA1

    d3037a483c0cb893d7ad28709b3527237225de8b

    SHA256

    a96a0e04f0a751a710161ba6029a460d781839c608919a851063aa96935b7484

    SHA512

    68dc8418b39fd9d0ce74d447e39f9a9fb96f2ca4a82500c5d4693a4ec596f739b41790882a12976ce33a719fd39ca67d594b0f197dc4f12472f37760c0cc3b8d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    206B

    MD5

    b9544ef22ad47274a9637efd19ace85d

    SHA1

    0cb159323a128767f91308bbceff326356a97878

    SHA256

    d17bfba99fb77906527419085e7fbaa84737228a16e962a2093383d849fb7f65

    SHA512

    24adeaef50a87c960142601fc607361981714fc3865c1139bc6d08cf26f303a44f13b698233215175377c7a50fe937cdb8b15d47882b587c0a7241754cf27883

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    174B

    MD5

    a93f202e976abca852241b1fbeb0a3cc

    SHA1

    f72f0ecaeb6a5cae7d80cf795f00c8b4ce50b1ea

    SHA256

    8051fda54ce2f31c63dfcea55b933cebcab9591165d44d8154c5db811859c544

    SHA512

    e23c3cdf75c85f96c0c583655148066b7447151927f27d10de918c43e64399573fc32fe8e953c088626b430b3d5821ae92e2a15f5b92f4465af8f56f8b8c3cdb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    3.9MB

    MD5

    22148873ac1e5f67a3dd987d5dbfac51

    SHA1

    0235c12c848518dc145b9fe23945f988b5f484da

    SHA256

    f682c08d9d8835ef6edc7dd2f0dbe51ee948de80056dfdd726311a06d2a89dd2

    SHA512

    b17ed7fb6a7a0914ea752b2ab826223866188a4e29e088a1cada702b365dc63411540d91e5f52db3557ee2baa3fee8d4b91a6469fb4fd7d4490fffc40ababff7