Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/06/2024, 13:39

General

  • Target

    3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    3fc1c33983231a85fc3007f196ada650

  • SHA1

    c61c150a30a71524ef419e192af5cd762a066692

  • SHA256

    b486ad7f522a6f07cb1e1862f34b152b75f3dba3f74df1c11c2078dc420644e8

  • SHA512

    e42ef4ce75f21cc5d8cfc49d0575bf487f304889c91c68000c758b52585684d30dd3024a565302764a6df6ac4f9ebbdf2bce44c8ce1632fa14bdbbee7fe326e7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2152
    • C:\Intelproc8T\xbodsys.exe
      C:\Intelproc8T\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2836

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxJA\optidevloc.exe

          Filesize

          2.9MB

          MD5

          238a872fb78f3771065d39f56c2e4690

          SHA1

          49e2b3932be0cc3ebcdff852e92a1b2c03752477

          SHA256

          f83d8730801463a432d368b5ee49ee7eaa285df9cb1bf5e46c991bea75cf1b69

          SHA512

          69baf1342cb0f9bd04acbf55c807f2845d2cd2fc3780d71696f79a4c3f3636506e8bf7b963dd7e5bedff126d1ffe92d114fba6d6e4b72906532cbcb23a688ba8

        • C:\GalaxJA\optidevloc.exe

          Filesize

          4.0MB

          MD5

          288c84a7e5508a8abad20daf89b125dd

          SHA1

          012f646c21cdced707fcaeee01e87707e01e6f5a

          SHA256

          938a641acbeb5e50138b912cbe51fab0ad65afdadbd6498c4e3fdb3dc2ee77fa

          SHA512

          82b7a252423ce9e207eba1ba43640e75d19bfd01b9a73d801e8570c49f94d9faee038324d80db46eb9ff904d3c8545cb8e3e463027c442d89c3f62f117b04eb9

        • C:\Intelproc8T\xbodsys.exe

          Filesize

          4.0MB

          MD5

          d7d76b74550c9bf5031c32436962fd3c

          SHA1

          ec0d4e1be60990b4a854e6699fa045d20fac47b6

          SHA256

          b7af2fac0007e2baa7ac79a31b09801db9469635241226bbbe6f8d6527b1cdbb

          SHA512

          80f412eda70178ea61699a3cfcfc1213abcd0662fe17491c4ee992fa0150701280feb5c228f76fd833019794bd01cf0045aaf238df5e01d3c4327b830e19af2c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          176B

          MD5

          98c5eb89b8a9157f251e248d86424942

          SHA1

          e96d33842000116555b1047af18eb616d26603b9

          SHA256

          a84062ee6124cfd7f4860ab7d95ee4edc064d84fe9dfc78bc10233af7798eaef

          SHA512

          da020698e9e591ed71b6f04cde747c778ffeec1092ea104eac9e88a429b75819c27d210ee8a4311590dc9a5d8dbff46baa8d5afb4b6e0b2da3bed5a889f676f6

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          208B

          MD5

          e29a0d8e01515ccdf896476b472ea5ed

          SHA1

          3df006f2b61ba7e21995b0406aa69aadf734e404

          SHA256

          be2e1e5a5171a0d5584939a159f42d0afc3a26e07e090f910323fc0cfa2822e1

          SHA512

          fe4de2da361da995a6fc30548ab0d8da0467c638d4503f9cf384360982029c4c383e75ccca550d4772e39effcedf83ee092a99f7230773a3605983966ac46e8f

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

          Filesize

          4.0MB

          MD5

          3a19cc2c5444129453ce78d37290025f

          SHA1

          e7e4bd7dc21fce59e1570f493de54d1d2b2dcb22

          SHA256

          e5f92626999a4730dd4245be6db41eef5d7a17736fc362753fddac385e1a5b60

          SHA512

          000fc827959fcbaa6e1aa4a91c24c3334fc6889c6848227580b9f26fec702eeda312eb559e8f0f0775d7b5515d5ea775894249e86fef07a298cd2be07ed38fd5