Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:38

General

  • Target

    9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    9d5c0808f0a8eb112f4ce760ed2aa9f0

  • SHA1

    191567378cc75b1478e5403779e80bde5d79b1d7

  • SHA256

    0380232dbeadc88e7dd49a6682c74a9876d560eace983f94236d69059c7e367f

  • SHA512

    99d7394d79335ddd7920953b44792a4a7ad296caf33fe48d644983de63fe1c2bd8cf5ecf1c85bd2f2ba0366ac8344836a34dac67377d3afbe2c8a99eb232a4ac

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpobVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2996
    • C:\Intelproc5K\adobloc.exe
      C:\Intelproc5K\adobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3184
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
    1⤵
      PID:4760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\GalaxFH\bodaec.exe

      Filesize

      3.0MB

      MD5

      f5bc7ea8c794e6c5b72ab6abae620a45

      SHA1

      eba964385d9783283b1e6546b7beb736c8ca42a4

      SHA256

      08ea013d6b9a53c21e014e886427827915992c95f5f8015db312a4b369862758

      SHA512

      9aff61d654ec24f96122c36e87117b59e6853aa6c0b282e474dfec2c62dc160a14dbc26faa2b908ec8114b092a0ef468e379c5c661fe3bdd216a96ca04f560d9

    • C:\GalaxFH\bodaec.exe

      Filesize

      3.0MB

      MD5

      a29f3cc4ff289c2fb7c39f965f4fc643

      SHA1

      80ec429b2ceeb324430391ab43fe9050aa0213e3

      SHA256

      c762f5e51e232b733a044c3d01784238c45ef2f62bbfa1f73f9848872b1fef56

      SHA512

      4d6b6c6d3e95e3e795aded48f95155b108da9c242ad15acb826e05b394fc78ac2b38796334dda3513c53c222d464b7650f4678a4b88c239cfee4f602074742ce

    • C:\Intelproc5K\adobloc.exe

      Filesize

      3.0MB

      MD5

      f1e5f149efadcbf4afaa1992e07765ba

      SHA1

      d94e764c81081c55e6f5ebc65c5639930eb86bb6

      SHA256

      7269ee4ba5b63ce71e9721865c8de8696df4cb2c0c09e5c4f2ebf1fe670ba1bc

      SHA512

      31087278344054c969eea5bf8123a1dd578c27612adabb511c6db3623c1c0604e35abde9f1befbd234a84d30b5f87666e1e4a10cc8618f4102afdd36f2625516

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      204B

      MD5

      e92d95166461c11a5e00305671ce87cb

      SHA1

      28048d21767b4e77a07c303ccf0e69d3d852a683

      SHA256

      a0f03e133b333ccbc52c08180af754c0a49d447b99dc3aa18f77256199cb16d2

      SHA512

      5cb6582bfd4cee799e16eea40cbf2374b5f41e6d014c5cd78365d9913cfa403a78c888365cc0c691cdf561318633181f1fa258c7922af01f3d5c7bf9a7a901f4

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      172B

      MD5

      df37aed07976dc0b25dfac7beb8cc45c

      SHA1

      2fe2e045eee4186739f556f9b1dbcee2c8d66900

      SHA256

      4111f43db30fa882600b003d64d318995c87edbcff6951bc1be313731adf483b

      SHA512

      e846be3ced9ee952142c78552e93899c51242b0cd023843f291d1f6018a5fb637247904bf0694866562593e833a0f27fd5cd2aeee5adea7fcc446ee76a646713

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

      Filesize

      3.0MB

      MD5

      c9ed07124c6fdd005abd086c419e5c92

      SHA1

      0e6a17b0e0a4511212a1e3282b11ee8339784309

      SHA256

      a974fa195b133e305d1b1879a05c4578f22b057e4fa9abdfcb87660bf850428e

      SHA512

      2fb60dec39c66827fabbc68677a9e6ce9c1d19bcc0fabb3bb10393e74c6dfa2521ca6f3c51b7b169474fae3ef83e27c8bbc95c0dafbd5b65f0ce73265d6bdbbc