Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:37

General

  • Target

    9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    9d5bef4d54045895d850aa9dace4b8d0

  • SHA1

    a3b959e97b549242681d3df82ffb94d9e515add2

  • SHA256

    6e2ad861ed241273bea3ebfd5fab1bc106b7899808a5df5283d91f437855cd1d

  • SHA512

    5eafa9678c7be626ab92d36fbb1585777079cb1415e768597288d0ba2c32288192b988c9029cd19f9e74fd72c1d0f39e2992ab2735a7379b0ffa88861c71bf0a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpUbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2100
    • C:\UserDot4X\xdobsys.exe
      C:\UserDot4X\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint97\optiaec.exe

    Filesize

    3.4MB

    MD5

    221444b530353587b439d699d10880b3

    SHA1

    c974b181fd6c5271c1f5724d7fa7b6d982bc4fcd

    SHA256

    2f7bde66310909f533475f79e953c4fd903295f9ccdc11fcf4f1108ed131812e

    SHA512

    a2fd069c0343f5fde0b2675660ae1350a98894a6d3e52a4359ca2f4f49dbd3410356c462b4e0bb80ee116d64ce47e3daf1dadb7286ab9a3d0ab74d3d886ebfdc

  • C:\Mint97\optiaec.exe

    Filesize

    10KB

    MD5

    1b916c50de9513bd35995ff6e69aef92

    SHA1

    52937fef400b241d4a8b1ddd227652b7c677d4bb

    SHA256

    87b86902356dc8919842b25007d34f46886d02128a2a02cb251d67dde3bccbe0

    SHA512

    7d45f793fac4540d35fd63f20caf5172cb11727e67a9016311072bbe1de9cbfac63ba2f8cb9bc93bb3b067ce7a65d0ee23b7d88fc199ffd6728e49343007d85e

  • C:\UserDot4X\xdobsys.exe

    Filesize

    3.6MB

    MD5

    f41ac4625c22e7e3df806ffb41ea3a05

    SHA1

    926ebf4546f02c863f1e2d4af626c1c9a2f368e2

    SHA256

    f30709bdfeff2cc919090929db13238579544b2731268f91f87bff067ac64fe2

    SHA512

    0fe9d1d45b58d09f7ce950c4fb74789c7201cba5abbd3524260f058c6a94077b7df0741d75cfa78dbe535e71f02caf6f93df283cfcd63997b4f8ec009c430cb9

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    260beb2db3588c83f2bc4ecfa699e129

    SHA1

    b0d926146a4efea8d8d70acaf1743f29ae16e1c5

    SHA256

    a14c1ea3aaa108f962fb8f3ce79cf6af8f1171c91ba353e8594f2be0c06e007e

    SHA512

    5776a376c2fd63aee513d35aa1a7387536d240d32bb41aea91854579ae369545999a4fa44972fc512ccf9d05db90bc4e9afc90e00abf98c56fbc04167cb786a1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    79e97bde734b9f66dab4cd5d794ce085

    SHA1

    7fa015c7f1ab120a241eda2bc98566e883d08937

    SHA256

    ac21570ccc57cc1c02561dae3bf3e19a2ce8ff1d79d0f30b44a64e90cdb52b33

    SHA512

    e07d62e07fa6332c6fcaf101eb67595d7d2757f2498fd8bcbb8a9b84c8216fd69cc2f8e2a4111722d252bd762b1142a53182dd7dd68832b798c1ee1f7f505197

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    3.6MB

    MD5

    39d967c51861b76857518e02442afb04

    SHA1

    a48043bd5df90a7edeca171d457b5e808a34ea7b

    SHA256

    8e17d2d641ca850229740178f1691c694ddb4b880607113f31faf88b29b7330c

    SHA512

    70a650465d20907a2bf5f03dbb87599a7e5585bdda9dd3a588552fc5d8650499d95232d7e67e72a6cd8e5628c6ced5a6c67a85ad7cc63da45c9d00d0cf7ef7fc