Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:38

General

  • Target

    9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    9d5c0808f0a8eb112f4ce760ed2aa9f0

  • SHA1

    191567378cc75b1478e5403779e80bde5d79b1d7

  • SHA256

    0380232dbeadc88e7dd49a6682c74a9876d560eace983f94236d69059c7e367f

  • SHA512

    99d7394d79335ddd7920953b44792a4a7ad296caf33fe48d644983de63fe1c2bd8cf5ecf1c85bd2f2ba0366ac8344836a34dac67377d3afbe2c8a99eb232a4ac

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpobVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3064
    • C:\UserDotG2\adobloc.exe
      C:\UserDotG2\adobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotG2\adobloc.exe

    Filesize

    3.0MB

    MD5

    11c6f7b491242aa462935a3ef78b171e

    SHA1

    4b01c616a153265345df52d1910370733932e0a8

    SHA256

    c13277708cbe461da4c9a1b9c7d16ebc29f1b173c7ca6b0f896ad6abb8521cae

    SHA512

    c296b3562f1c108d2098c305de3a819b335447fcbaa79dc452ccd5ec06053a10c1a5122e187fe85b58604c2101695917a2c0bde136b7f674940723b8939afe4a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    0f7a062f8ea995bb11ae87b1241bb0e7

    SHA1

    78556408ed1096351a575905aea5b7a76b7a9d8e

    SHA256

    f2779a45dd4279bbf3d5963a705b35a01c0aa48f68180283ad2fb8db9d125b3c

    SHA512

    b848a9b13a26613a200d6f7617caafab3b5bbebc56a1e551871a6dac8f15dc5430ee2851faf0a238adde4171e08b93a2a2f23e9b3b9356a844ba6d8eb4871336

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    82b1b9f878a0e9b95503e771fa2a2003

    SHA1

    f49f8d13356f507ebf1a0f7191549b4f998fc9fe

    SHA256

    ff65f77135ce7aaba9ba6cf45d735e4df788313bb17ecd6f5c9c32836f370cc7

    SHA512

    d511b8d22cbd4c22161193a684e2d3b6715ddd7cc89eba623458144e164f66c2aadb4bcf440b50fcf609d3490b5e62d02e2fc2710d6f150e37b52e4e28e2762f

  • C:\VidC4\dobdevsys.exe

    Filesize

    1.2MB

    MD5

    9633205f6fb606065872fa55feb79034

    SHA1

    9c54f73a00bb4588979196626fd55b8526a9db5b

    SHA256

    5e5067d38d9e7417c593d2a31629c251f9dd2d945ede02ae0d89e317a17e6246

    SHA512

    d0dad4a65346563ff0f753701d0dc6faeb14fbf149a433ea3a9842b23f0e193adb3f11e554af5b6b2383dac7d18bb38bef720b1a548cda8014d12b4c6d6fa516

  • C:\VidC4\dobdevsys.exe

    Filesize

    3.0MB

    MD5

    a8ebe1833e05952416c24df382357d31

    SHA1

    2f6f32ed1e1720c06d0c6a8d426801fbb8bbfec0

    SHA256

    53d29f4aacdab3ba1d431238ec5f9e2374a2a1579c244465cac03cb5c339d6e3

    SHA512

    cf94a1943e653e5d28d11033376d879373e2f78d2e39e034fdc4060ab6e05c696e152528ba65d9680c069ede44a1448fb87ef3c917bbf9ff0007795e56a16286

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    3.0MB

    MD5

    648bbbfc26b0353d551b8c378348ccdf

    SHA1

    99c022df045b34f349bc7bcfe2566ec41b174072

    SHA256

    8d3cf0381201b7852b517bb9df19d5ca25dff683610e85d0e5f165eb62e3a36c

    SHA512

    f838aa28756ec41a3ce89e52a17612cc2d7c9157fe186e1914f9722c15b8a016c1dec2e2197b0455b6d51f299c0cdce985b14c80752513d1ddc6e377b764ab8d