Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 03:07

General

  • Target

    2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    2589b0bc32db1a76714c6933a7a5dbb0

  • SHA1

    9c5cc31ba7b211e6bd843d6ad2694bd3e3ea3c2c

  • SHA256

    8ef24919b65e25209f20c764ea1bfcc1f1e71a54ad321b667e5841fe2429b0c0

  • SHA512

    8fd6e80e97d73ee9b4b064a5819a9e1e3ffb48f2bad99df18f1e786312936140a0a44ec40d93e971ff8c1a4218bbaf10762232f0725c46cc1cc92bf48590c514

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8:sxX7QnxrloE5dpUpRbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4396
    • C:\FilesLF\xoptisys.exe
      C:\FilesLF\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4148
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4828 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\FilesLF\xoptisys.exe

      Filesize

      3.0MB

      MD5

      221ee7d40fdbdcea2d4d34d67b92f295

      SHA1

      1cd60bb94224b1477b9950ddeda433f24a5b8ed8

      SHA256

      09ccd4c6ce7bb4580f2c1819e294b7f0d757bc5f72aaa8be60723449c6f9b677

      SHA512

      67694ebe6a8283de72a48eeead8a7880299ef0df656572aadfafeadadad7fbd76417ac5a812fc930105ae2849a9501b0a733ca034f61ad9f8df78e69b7f4f65d

    • C:\LabZCD\optixec.exe

      Filesize

      3.0MB

      MD5

      c0d368c9c16853e59b6cb0558c98f767

      SHA1

      347591b525a5ca3818fefb003e7ca8e3295b0beb

      SHA256

      ce7c82311069dd785be49b8e805c19bbee7b11ff850db34fef40681b65f05b97

      SHA512

      b5d766491d84663e50b34428a9be9a7446f75cdcb730eaf71a59bfb6a9dc08b02b6221142d68e6d2ded9b6ec3540727265360148bcf8be9b8e3dc51e11101024

    • C:\LabZCD\optixec.exe

      Filesize

      7KB

      MD5

      84c3a9ef71c6c32cc10faa7a3122fe8d

      SHA1

      44094cadec949c065d4321a4cb7bb4c11cd999f9

      SHA256

      de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b

      SHA512

      f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      200B

      MD5

      9571f966687f3945c61616750feea26b

      SHA1

      bd70921c87666e54c6ff4e4a70e1647760f3f98e

      SHA256

      8458131613a6f9da7018061b89b5f1d5dad6ad5a2895e67aa632adfce4f5b798

      SHA512

      719006603675e7bb09d9bf87648b8ddc135158b2b3b29763340ea510b5e00e3656cbeb60f60b5800aa28fd2782215a87127bb4b5cc272968e56d5b31e3c4e569

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      168B

      MD5

      fdbfabc0d4072f43e702fa8f7fa7ea0b

      SHA1

      970c1757168a00b4d416ad9b78a44b8be4cc4d2a

      SHA256

      b22c2cd4536bfe050abcd8476b97a9c8d8aa1b726eae1c6ff5c3a43f33e805e7

      SHA512

      124ecbbcaaea6f597c0ad8f1348679c337e679eb7d5ed3866afc3fbea1b5bb5f0cae5e91edaa3d76a01209d326fa070ea6c6702d5bb842c42b7a82ab38f7953e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

      Filesize

      3.0MB

      MD5

      6225f88e62be1744cd9f5867beef8534

      SHA1

      ef82d368c9ec776e2d01b1248e17fd820cc77519

      SHA256

      f7af817641f776b3ff5f8e4d977ab66946f0f349be159365717dd3c270d1a18c

      SHA512

      e0de56110c68541eb7da8ac441f4f519a7fea176ccc25f13145c43a266c0f4ad0f0151a3ba58f968ce40455cc5172972adc7e2dcdc51cee27b1b104455001ce1