Overview

overview

7

Static

static

3

7559547cca...cs.exe

windows7-x64

7

7559547cca...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    7559547ccaeddcbcea9850347a04ab30

  • SHA1

    4a3fd39962741c4055ada58a2ecb338b82e6a05d

  • SHA256

    f32e7a23f724c65fa105ddc10f360f5d104df1c5eb03db789bc6c2a894139bd5

  • SHA512

    4f810ee3d0483feb68a0b9bb65c13b292960912a3dde5730234068489c583631ea42f30f945a08449972f8dc70703cbbf3b2facf227dc9a59956868be0e6be51

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpCb

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7559547ccaeddcbcea9850347a04ab30_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1776
    • C:\SysDrvG1\xoptiloc.exe
      C:\SysDrvG1\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxLU\dobaloc.exe
    Filesize

    1.9MB

    MD5

    c29ca554b2d51bc91a74bba218cadf6b

    SHA1

    e54997d90f515d594c3ace31712ab3912d6f886a

    SHA256

    09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

    SHA512

    02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

    Download Submit

  • C:\GalaxLU\dobaloc.exe
    Filesize

    2.6MB

    MD5

    96c78231cb6f964f9d0002a9163b47b2

    SHA1

    c3949604c125ae3adcac67b4c39a72ec3b3b2ee4

    SHA256

    0cfcce583c08d4fcdda77f260fec6dc353c70266de58417e351777b0d651f1b7

    SHA512

    9710feb66a5fd4bb9c719337fcad4e14a4e2b584ccc593d41e156066af8b4fd67294146c121eca17e0b8702645bf1334cec458fdb3ed9d57c64303f431b62498

    Download Submit

  • C:\SysDrvG1\xoptiloc.exe
    Filesize

    2.6MB

    MD5

    fb8b93cc9976f14ad3b96e7b46bf2adf

    SHA1

    1a571326e3097a771c0a73cd6d4077e92cacb525

    SHA256

    5d156f1d3ae373c1ef25addecabbac85ceb5923f3d9f1eef899fd0906bd15dc5

    SHA512

    d7ec3599cfc560f5996ef686245ce6f2ebbbc758e550d52066c1786351b04cce3572f4003b65322a98da9492e88e53af3725fb24213a651158973f6e93037705

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    170B

    MD5

    7995c5b784c93ffdd1b57718d3f1ae75

    SHA1

    b8443d6db2ca12c6fb35856da13f44f63ea20b96

    SHA256

    74167df7a4a0821837e837db1e3869dc512e74b7bc02ffe0c00ff311f1daa431

    SHA512

    368d179407f7516063012ee9baa5cd98651397038fd0c251438e50b85356809f9d85ea3189b26ecc76d550889b5f44952746a2d9343c6a257631f32c5240237c

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    202B

    MD5

    1e9d8d27748fb955d305c53d5eb052f5

    SHA1

    5559dc8fbe9487ea970bab5938806409da14ad9f

    SHA256

    7efea65a0ee7e623aad4230767c04b9dccd9cc07bd75006e2ff4c4a4acfdcd39

    SHA512

    2b64752e95a69f8d7b96756a3fa0c2764797ef7249723ab64171b0a1fffdb8a78860e050764ad3c062b283327a916f1a91610f9ac1304bd05fc7ae69c86d7607

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
    Filesize

    2.6MB

    MD5

    f1d2d8fcaa0595c7eea80538d90436a6

    SHA1

    222217b1a1904e11548b87f060c61d4c8f0617ac

    SHA256

    3fe097f32a0a597ee919714ee4b777e4280b6379e6524e9fbb58b49ce24b9928

    SHA512

    f45844e9103f99bb5371d42d81a14b63c4a0a453d28df068707991527c5b1f82d7c8b8d411625d57aa4ab4c30d11dec77307b0e961997625712239c900b37093

    Download Submit