Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    08/06/2024, 14:28

General

  • Target

    c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    c23164dbedc67bcd12876522f55dbf10

  • SHA1

    6c2396cdaf58c0b888824c1fc047423f7745b620

  • SHA256

    989995251f92b2d1b6d8ff4a588b76f8a462dab65cb4870c0a9dad27056a30ec

  • SHA512

    84b376102004559a09427cb6b2c00eb9ac9f15656af892c5c26175fd17fdd793e7f1bb55f466c1264af9f7da983093d87106fb52aa46ac81fdf60ff4779c72c3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNX:sxX7QnxrloE5dpUpdbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2160
    • C:\UserDotI0\devdobloc.exe
      C:\UserDotI0\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:848

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxXL\bodxsys.exe

          Filesize

          3.0MB

          MD5

          ab25ef7b9799f9f5bf14a152dc845333

          SHA1

          f2651b77cfad2abf59996e5d49f36345d81520db

          SHA256

          bf64ee580070817c9ce4397e000c66e1db738b295afa9c224009b15894279d5b

          SHA512

          eb9bc606567650f3099a8dca2ffb2ed01d338fa154a9dd86ddb5e5908799b4f334a71ba95c0ac4a154a685a7249df53f44f56fa4d22d268fc008d2bace8c7736

        • C:\GalaxXL\bodxsys.exe

          Filesize

          3.0MB

          MD5

          344ab737047e1aee4f577e32544debac

          SHA1

          5f3542f558919dd5996118475eadae647bac53b4

          SHA256

          c63c5ddc1501981fcc67c89cadd01a6623113d27dd41e649b981e2f1151d4b94

          SHA512

          74f0cc6f802ba43f788d01c905de3a940d3ef20255270da69ec313067f374f6c8c15c46068d2b9789d8c6a842e0c8d426316d0359432aa3adb99e4509fb305f4

        • C:\UserDotI0\devdobloc.exe

          Filesize

          3.0MB

          MD5

          c1fdae2e57b2765bf7cf539b5285d0a7

          SHA1

          3195ba56b7432256ba4c9aef65df64dd991a1b76

          SHA256

          a25c43c7110a27b10eac3f395b1e4efbb80d4720c7cf2a63cde93f740b11c5fa

          SHA512

          3c0d43a164cfe89db33bf45327112c6f35fdc9eae3069448e1f6071b9bc1496e75547c408cdfec4aca33bfd7041d39337a4f28f4014688237f3944676346f217

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          fc7c47fe848565142a43008441217222

          SHA1

          df637ab4729b060b4785c4d30caf465214a5ef2f

          SHA256

          3758852cfd6e2b351b9bbf668ac69d1ae27fc970b13c95e29189670be4dee762

          SHA512

          9556be0e7b8c838aee594f922f47444f60a863426c48cccb80aa5d1774150cc12c616ee886af1c969c379e0b3b84c14f647703cc78e76cae3d54646c90ae6c36

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          8ec770cd69a63d2ad7df4c51511f0951

          SHA1

          81f22feed879d24e2490d939109128a5e06051e7

          SHA256

          8d866fc0c6d6203c44e971e8fb09171b55b3fac8e5aa81e9c3f54a44322e5266

          SHA512

          9151a6dd30d05cac58f48b61aa78125dd57474917b52984ee0985503906e475f9591eabb47e4d06eb61dc8cba0ec85e783a41731a8c135a50298f7d4e12a7ae0

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

          Filesize

          3.0MB

          MD5

          a150ea297abf73a83b1bbfbb97722745

          SHA1

          199e20acdc7308484ef8290464ea01a81563cb89

          SHA256

          b037ee72a9b679b1d60e9d86b4bc35a73c4041be8bce5ee6757c00e30c55819b

          SHA512

          31b89af87d9d032dea346f86afc8f6aa8d7d41ec3c3c4ce1528e140fecdaae003fe4db600be791db6a3e1c8d24b4b030f5707502bbd26d0281984b43e7e9613c