Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:37

General

  • Target

    9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    9d5bef4d54045895d850aa9dace4b8d0

  • SHA1

    a3b959e97b549242681d3df82ffb94d9e515add2

  • SHA256

    6e2ad861ed241273bea3ebfd5fab1bc106b7899808a5df5283d91f437855cd1d

  • SHA512

    5eafa9678c7be626ab92d36fbb1585777079cb1415e768597288d0ba2c32288192b988c9029cd19f9e74fd72c1d0f39e2992ab2735a7379b0ffa88861c71bf0a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpUbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3612
    • C:\UserDot3B\devoptisys.exe
      C:\UserDot3B\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDot3B\devoptisys.exe

    Filesize

    1.9MB

    MD5

    b4f549164a0dfcdea830ca6242bf11a8

    SHA1

    c6f29b0b5c51aebfa795ab854099eea4116243cc

    SHA256

    393cc5b32b1f19ae49fa2f8ff10f11f3c04188b3ddc0ae5c4e5d913f421e4443

    SHA512

    22862576e22ae40e3ae18b7cba9b6bdee3e4136fde82d9c9adede975519be0f1bfca8a1cb0d537cc69bf186b965217f971da64461484af09d0f09edb6e6115de

  • C:\UserDot3B\devoptisys.exe

    Filesize

    3.6MB

    MD5

    65d02d9a0cd832a893c22c6638b5fa0c

    SHA1

    588f7d1a087834fc5f60a952034d4a1dcb48717e

    SHA256

    01f0ef74225e31fb44420f4ed40114558b644abb052ea4216e11ffbfa9605778

    SHA512

    5f4a8d36b35fd766034dcf8d5e1d44f6e9f38a5320cc4c4a5c2bf0569130ca051afc8d6b81a674923f62efbadf557c37416a1db3fc8abef9ce424d2283aa856e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    31983a6538248a91baac3511ecd0d1ea

    SHA1

    14836ed3795af1c5f6273078f5bed513f56f337d

    SHA256

    15a789503c856ae734eb7037593b5e7c5b7521ee41af3bc86ae2d7ae3999dc9f

    SHA512

    c0ffd87ebb759f1e944c7d7360133547d1b83b5c7c6da3dc3ad490f75c7286b2ebea235400f642de316e9578138bd12ee4269d55e320df4a695c8aca6f66e21e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    759ad7502dfcdadb0a7ae95651a2cfa8

    SHA1

    f4eed248902e530ee5728dfa4f43c36f9cafcfd0

    SHA256

    2264df95cda2239f03d81c4913d0066eee21f98c6c53224ecc0930ba402ddb4b

    SHA512

    2098315d270a1a954fcb00bac5b24b16265489f01952dc5e9cee56063d62eb4bd6e81cbb55ff67d1f0ad5dd052eead08d52d0a7011372e99d23356621b39e9ae

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    3.6MB

    MD5

    8d8e003fa13171c76b74ec7339b1a88e

    SHA1

    3b77137c255d504f24f5520778ac4d4ba5bb8316

    SHA256

    097016cdccaaccf71c19df683284e1316e0bbc6000fb8c5c28b0cfe8fc15ca2d

    SHA512

    f739e81c53b1ef64799f5a996b225cbc0ccbcb3d5dfc3732b0fbeb12f8257d807d05a5b19cd652bd43642c6039bd20d8ce7e5aea3388c9e0bd1b5bc8e271f64d

  • C:\Vid3M\boddevec.exe

    Filesize

    3.6MB

    MD5

    a5d8b5cec4f3c4e601215c5abd56305c

    SHA1

    227b2dd09e8bfc09e219ea451620d1296f40759d

    SHA256

    f14ba228a6ef748b6a3be68328dd3e88f7b1b665522da2a56059ae7dd2ce790a

    SHA512

    6e66127f5a8f4b026c8b6165787baf71b92e5b4294e1473e1a1a52f4efeb556b6780843c8d2dd0a6b8573e168d1aac683639e9b2f7c3c0f3f797d6ceeae4b98a

  • C:\Vid3M\boddevec.exe

    Filesize

    37KB

    MD5

    ae8be8e2b1dab8adcb836a33cf6b9a61

    SHA1

    515818c5f9405956f70943bb72ba90e9ba78e9be

    SHA256

    3f6a2116dae8cf70a291b708d7a433a4131aa97d54aa90c7e7c7a772133beee2

    SHA512

    27e40b2e46154b9c2897e8399b1af317f88ca2e3ef7054a9448c2abdbf7f18785b448b4aee832cd94706b44c9e30fd97a6d1f85cb28c11b70a3e38f9b4c37676