Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:40

General

  • Target

    9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe

  • Size

    4.1MB

  • MD5

    9d65b7377b97a83b5bf897b308d5b800

  • SHA1

    9733be181d56d790477cfe43bb4b2322b3301949

  • SHA256

    4b893fe9b796bc711f72786faa1212eb22105fb825643abd1ff41f112e5dd14d

  • SHA512

    f9a95fe28f296b393c8cdd08956f2cdc60ecc3311996d7c821a6b7a69501a64906d482bd79f7179487088899038028676a7089bb8a8254f1e1e6e7ec95a0c758

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2548
    • C:\IntelprocR8\devbodsys.exe
      C:\IntelprocR8\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxO5\dobxec.exe

    Filesize

    4.1MB

    MD5

    5900250ba074ed77284d62e0890a018a

    SHA1

    d83a1ad44b0c25175db048ab41e286cf4a0df3e2

    SHA256

    a19411bbe2f54ccac8993521bb6c067cec19e607e93b37f5f0d75d387642535c

    SHA512

    8e53c958c378b41794a571ff5e050f7b23527abe4b2c90b8c531fcd7dd55f4f6088490f6033237502b6c9302389cf5c1aaeb91e2f087a070fac637bea4131c5b

  • C:\GalaxO5\dobxec.exe

    Filesize

    4.1MB

    MD5

    ca03fd6860742a82029891104545ebce

    SHA1

    bbf18d2ca3a02a9032b55fd98c3721af0a209abf

    SHA256

    39fbec56b0bad5154187d12b7dc39dc4e93d21ee93b4f5e6c8ff16e6c9f7aadd

    SHA512

    b409896f6466b9068babd07debf67ebbef2433e8199f3a30cdb5cc03996bb367610aaf9de91bb19de10ae92f595f3add6e11058effa1e645bff0b3563fa5657c

  • C:\IntelprocR8\devbodsys.exe

    Filesize

    4.1MB

    MD5

    77cb9ac04018aedf9d278b1fa49db71a

    SHA1

    44f59bbc337149e79b9d373f20858723f0a14132

    SHA256

    309ae8f5532fb82fde6852d82a18ca118b41f42b3874743db2a8602c92f03242

    SHA512

    8a1f0f4b25e793580330fdb2eac05981c52285fc0c7efe2a897196c3b37113824c84f6b41dd80cc941a5c33ff8c823bc23988fb9004d9fc55a702ff55bd095d2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    175B

    MD5

    341207aece3fdcc218d65f0ec79fbc50

    SHA1

    91c26bd6886895fde49ffc067849ed51fb6b12df

    SHA256

    31a3c64329f2ca70ffc7ff6f2737f872e0678eb0a20729b4053d9b29ca52e760

    SHA512

    752bc02bda4ef67a4d9b90dce5993f431615868ce75ed68f5757883ada3547bc9a8ceff45c9dea652d66dcd3de571c5be5fc558a8114a2bfbaeb2e8aa33fd4d8

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    207B

    MD5

    a6e4508c8b67963edfb21cd2139f3a6b

    SHA1

    ce696f1ac6e1935a517211f2f4efebda95daaa73

    SHA256

    81ea1ff5f75c9100a55248c84899df7ac8c59d922366f33470e6644d60ff4fa2

    SHA512

    e185f2f088a47f0e4b3ff592f7068ca4539ba21bffb9f7c7c794dd8675f33451e4016989090acc1058c44005e4cd340280011b2eb80ee0a6bf232226f5882e28

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    4.1MB

    MD5

    d579ec0c42aa29c757280912b3d2173d

    SHA1

    570941bfaebd80b6abd1ed8f5e49301143af1102

    SHA256

    3f387c1da43851b94278227867d230563e83465ffa2592b76ae10c5529250c3f

    SHA512

    44b6a29efabf8540ec2e5fdf38287e9b6ff0326c02ac5bdab4df6bbc426b89a7b44951d2ecaaa82f61a50c70302b3030f4a9db993cb479072f967d757e24e4b9