Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:40

General

  • Target

    9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe

  • Size

    4.1MB

  • MD5

    9d65b7377b97a83b5bf897b308d5b800

  • SHA1

    9733be181d56d790477cfe43bb4b2322b3301949

  • SHA256

    4b893fe9b796bc711f72786faa1212eb22105fb825643abd1ff41f112e5dd14d

  • SHA512

    f9a95fe28f296b393c8cdd08956f2cdc60ecc3311996d7c821a6b7a69501a64906d482bd79f7179487088899038028676a7089bb8a8254f1e1e6e7ec95a0c758

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2076
    • C:\IntelprocLC\adobec.exe
      C:\IntelprocLC\adobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocLC\adobec.exe

    Filesize

    2.4MB

    MD5

    c1add6aa0fb8b59032175cb77fc9a2f4

    SHA1

    4143e86cc49aa073a32671e8a28b6d78e3fcea7e

    SHA256

    f1e073e46fb43872f38279d61d510e73c251dd32511dd11530a2575bff5fbc95

    SHA512

    b7bd429a8ee28cebb8e491ed3620c6e04c7adb776aede41c87a308d8a5d47ca5fe99d65dbfad098c12b8e8db6adad2bb7b9445233b77b4b98aac658827e5da80

  • C:\IntelprocLC\adobec.exe

    Filesize

    4.1MB

    MD5

    12f7174261ea5cdcfce06a1d89622cc0

    SHA1

    05e87cd6ab337e74c8dfecb52c70c8740869a138

    SHA256

    9e11d6579c3c8c1d20222e6d32e98aaa66af227494f7761dbcf6da77e92317e5

    SHA512

    71c02947031a62b0613ad58dd94e0baca807666ab133c356788d026a92bf155fcc3ad77abee229bbebda79905f57f6605af4f6541fd80ffe5138fa0b71874ff3

  • C:\KaVBTQ\bodasys.exe

    Filesize

    4.1MB

    MD5

    6340504142bc4871d425598bc8b5b9a2

    SHA1

    551b53abb17ce2bff63fa8e83d1ad1f2c156515c

    SHA256

    fdd1c0c7c43b0dc5c36655098f84664a6775327a9241aa9bc90b14dee055ec47

    SHA512

    5a9bb6b799dc766bb6448faaf2be7883f1ee764a50ba13d719c508d4080d2b988916b17d5ae0f17bf969bd2a2edc592ac699cb2744f4b715a1bcd7c78bf0ad0a

  • C:\KaVBTQ\bodasys.exe

    Filesize

    4.1MB

    MD5

    fd2babc44122d6332e4c7d15e58e06b8

    SHA1

    54d28b7165966cdc49829bd9b2a67821c8d7968c

    SHA256

    39ab2089113cd8ce044bb3f7a0f237909bbca9f6aadbfb6d936f3c273ec0cd33

    SHA512

    dc1cbab7d689efaef94aa761a3a58acb6a5ab4e81faa831ed08fda9cea5866f7353f5e3126d23cb340ee0aa6511433226a96d3d2dbfa218d797b57c73ea43f1b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    8e261efd16b789f870336765fd3e468d

    SHA1

    4deda8d27a886826f0926d5858081c15877c2c96

    SHA256

    98ac581d8c26314e63b7dcdc7e23b3da8fd71b3f915566d2a0e893a31d44f55b

    SHA512

    2522bffc9e0461b76e13897b613b2c0607a5473ac44afc12f118f3b360d0b295eca34538b9335529986d98584379995b49a4cfe3d3a935247f9e4f7fc677188b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    e3e9f64277b27808758069e549e5c3ff

    SHA1

    798fa91432e2c017ae749c774d6032c08a589416

    SHA256

    ffa19b771d5b753b206c1ce19f671c6348289539db60db8a2fa3e1976d5676a8

    SHA512

    3990a0e897410e48f954cdc197a86348b22cf82b432c46b94d7a2e2c56293407ecaf587a9c63845d33024487f9340acd11f342b98f8c2dbcba19d7b9a9c28087

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    4.1MB

    MD5

    b322061ac02e2c77351a5ec01395709e

    SHA1

    e2827170bec33bd9bcc49b9c1f2041aa2366ccca

    SHA256

    113bd8da894a72f0a32039b8e2070940da52c2b2899927e465b739d54eba0bc9

    SHA512

    6d60389ca9199322177a089947ab6f0a2135f079fe99579b36e282e25f3003f6e046aed529f00af2a25f1a108641106149726bd17c5f229c66fd81d8600431cd