Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 14:28

General

  • Target

    c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    c23164dbedc67bcd12876522f55dbf10

  • SHA1

    6c2396cdaf58c0b888824c1fc047423f7745b620

  • SHA256

    989995251f92b2d1b6d8ff4a588b76f8a462dab65cb4870c0a9dad27056a30ec

  • SHA512

    84b376102004559a09427cb6b2c00eb9ac9f15656af892c5c26175fd17fdd793e7f1bb55f466c1264af9f7da983093d87106fb52aa46ac81fdf60ff4779c72c3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNX:sxX7QnxrloE5dpUpdbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3876
    • C:\AdobeQ8\xdobsys.exe
      C:\AdobeQ8\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2068

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeQ8\xdobsys.exe

          Filesize

          3.0MB

          MD5

          62e4de4827e52e4e8fe55b2fcd327d65

          SHA1

          fcdb059ab96a41f1d04bf48ca65dfdcf7e4f3bca

          SHA256

          da2dc14591bf8663b6ecf1c177e0a163b8cf0d6ff8ada86aefc11c71353b243c

          SHA512

          290fc4e4f83daf9b8bc6eee2c028060b11098a6e8e7c68c754817f70d0dcaaba1a058fe31f9d1a8fb942802209bc116f44d3e1a730e7ec8479087061fea21ba7

        • C:\LabZHK\dobdevloc.exe

          Filesize

          96KB

          MD5

          5dfd1fcaf2d285ab6290a78ee4fb232b

          SHA1

          1853582e1d3e70c00771909d1a248111fb96ff13

          SHA256

          dbe9382b77f769d6055068734fdd832bfc2e2054079e0de9367deee70af30885

          SHA512

          63e53a2e7e2958406f37c704c339aba76f012a62656a415399a5d50bf6da4cfdeae846921e433b47093a3783791b870dc8ffaf35727136200658b07ab262ebca

        • C:\LabZHK\dobdevloc.exe

          Filesize

          533KB

          MD5

          0d78ef5abfb4eca1fc6f05520f401935

          SHA1

          d8671f75ac708a092cfef21c07c22c853c44dcfa

          SHA256

          e5f9e6a959bf7054c5397d9472b01707d0ece7fa84a646b05db0d086ef4e8a3f

          SHA512

          cd4ab201e0041ae0ebea9effc7f415fcf3680021025309d909bd89306d382d428bd41cc2910ddfcf83f7a8f9ebecb43e82f7263863a8c3cbb7e80bbf2b70b95f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          e58fc5a0a2aa67564c0bfdb1669f6de6

          SHA1

          8cee14566e0b33401967622237b2bc41f3898f8e

          SHA256

          9f7fc27bcfb84497974f61496545e3eb1107ef9278f8790e1de55e0c74a161eb

          SHA512

          13a55bb7ff58e3435ca6191bb5a2f8589d497982453ff842e6caeccb9eccdb13be51f07a168d3e43e7019c3efae5d1c06ae0665ea6eeab4ed3c1396b069eb1e6

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          3dc4f0865b013b77ea1c1e40d17dccde

          SHA1

          b83c72c8fd79ce675131066eb3c1252900e2a2df

          SHA256

          9ec26492357be56db6f4c1d9d7d8ca8fcc31958f1ed040e1f1c9e382881bad61

          SHA512

          733c311e900f1581e60888d9bedfa79f122fd4365502b69d21a5750988649cbee2e045cfb44e4b0130d6dac88ba28f332688cfe612c48dc4e228c56a948b3c65

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

          Filesize

          3.0MB

          MD5

          11200c80dd280ca74e2e3c6507ad03de

          SHA1

          501527750bde62975d4c7cdc2ac3439618bb08e2

          SHA256

          2c17090c35150f617c9386d0441e3c66cf5ca233a5219ed6e8b85b35d0a212ad

          SHA512

          d907c9e5ef08d155f73dbbff60ed6f9617777c9b51de5f552008fb90bdc9b48600a861ceb74d7879ab273b8ece91a2167c257cb32ca047c53a0d9976981dd59b