Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 13:39

General

  • Target

    3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    3fc1c33983231a85fc3007f196ada650

  • SHA1

    c61c150a30a71524ef419e192af5cd762a066692

  • SHA256

    b486ad7f522a6f07cb1e1862f34b152b75f3dba3f74df1c11c2078dc420644e8

  • SHA512

    e42ef4ce75f21cc5d8cfc49d0575bf487f304889c91c68000c758b52585684d30dd3024a565302764a6df6ac4f9ebbdf2bce44c8ce1632fa14bdbbee7fe326e7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3428
    • C:\SysDrvXZ\abodloc.exe
      C:\SysDrvXZ\abodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3964

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBMO\optixec.exe

          Filesize

          247KB

          MD5

          566c66d9aba7cb8df60e8f1f69fc1a8b

          SHA1

          1ffb8a15d32790d767edc0d49ad6bc15f2f80f3d

          SHA256

          ec523eddb03366ec9811b07457687a2e8ff7aa167ce92d5f6429a81911028919

          SHA512

          ec163ba4f622242cf4dc1a43dcb79ee5df89255a8abd292d56c9625fe791c36ed33366a0a6ebc0ba0276cda4856bdb7ca7c5b68ac389e20acf0ffd15ee72c909

        • C:\KaVBMO\optixec.exe

          Filesize

          4.0MB

          MD5

          91f25961fe256f34dcde59073d02e00e

          SHA1

          4b77395d9c3fee93e58cfa5b163f7588c695c790

          SHA256

          817f17509713bba9ee9a0ee233a3410110d73924bc161c6a78b269ae5cbae948

          SHA512

          f704df994ca4d26e76d6d870efa7eb4383d92ad5ea8adda2d8311bcc97d15572024d6ef08f87b1d4993dc881dcfeef79b058b57a36ea249f1070031e3469c2c9

        • C:\SysDrvXZ\abodloc.exe

          Filesize

          1.8MB

          MD5

          39a4cbd161a59cf10827fccffbe497e9

          SHA1

          4c01da01e3bc9431358ac83ccbf4b569c8694eae

          SHA256

          7cf45c981155d52dea03b2e73c65d861a46b24c5042a935c2bebabdc97d17548

          SHA512

          028627265e7dfe861af5ca12a239b3df3f09bd7d1aabb725959074afb75b1ad10b8dee01e9b703b9ef55c2a07d62b46359d049595e896dcfebe1600604b6290d

        • C:\SysDrvXZ\abodloc.exe

          Filesize

          4.0MB

          MD5

          3b374566bfbba0e08a6a6b40c7c757fa

          SHA1

          36a73bc782d791f04d53c7cd4668871cf69ff121

          SHA256

          354613db3d4bf06909f37614af33569df31cf7184722788bcc272f327bc0169b

          SHA512

          a930d3cd51e6333a598d7dc6fbdc9f57d054ce917b616e05ef09cdec522d92da1f4446a00d9e4adadd2d6e46e9a4e3bf10173c3a051525ae9068ec64f7e31947

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          44a511c0019e0b90541263155de0202e

          SHA1

          555715bc4c3e287180203b7134080d22d2ff9433

          SHA256

          a9a0d37efef19e6c40d99a12f3d2330dc579d75aa11ac1d5e8c40a83d87f6df6

          SHA512

          bb54db63e2bbe973f68cf24a8f18ad3ce702a4862af6764891552df8c005a94234bb0bc99d2d2c7fb7140d024a6b22d9419fe621beb71092033694c17ffcc521

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          3f416435f135c6fa83492c189bf02838

          SHA1

          666fe08d3a6fd91d40f9fdcc1f9881afa0a68c2e

          SHA256

          8f46d89c5d1d8a4dbb51f39d4808a22524d0f4a05446648e07ce55788ea1b663

          SHA512

          930581fb5f1e9173d4f806c34d8bdc415e0a83f00b6738d3bd75cd995426b2580aa749f3688f383c1d88a9157fada78c1c2f1ee41bef5f2f3d2d69f1cc209c5c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          4.0MB

          MD5

          a999a7784f6fb347947a62e02c475a38

          SHA1

          89f6864f2e0078f8f52bf9d3df6de6135199f4df

          SHA256

          be6796a212b9f5f783b4258870445d69024f2b42ba14d17ceb6864da378cfe02

          SHA512

          55d596b7ad96bc5a582cbd7c9926a43bc80c71ecb9c7260bd17759b1a58f6a335c8df3e61a8910ee76ec3562886c202aac7260d24f945aad1a0ed5410e3b5d4d