Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 23:52

General

  • Target

    4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    4e162a2042a856d33ab3989d2572a600

  • SHA1

    325acaa411181457eec41cfdbea6cf558354be7e

  • SHA256

    1ab17e03fdada90dd88aae5d633dfefbc9b2b213be9d04a3cece47398026d5fa

  • SHA512

    349614707e46c13d4f970cbd19b620d5b8cfe4dfe48d21296ddab97088ac58d7f59904c4cfc4e548bfa9008c9cd2a78a9b97f740a97c1197ff8295c859ad5be1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp9bVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1664
    • C:\UserDotXY\devoptisys.exe
      C:\UserDotXY\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint4M\optixec.exe

    Filesize

    3.1MB

    MD5

    cd598adf86d0e01572972267873b2672

    SHA1

    43346a554a6277092fee77f94682bc9ae7549f25

    SHA256

    b64893bfacbbeee7886581e12d7b83ddc95bc91c9d3ef58a86b848bb2e1f1852

    SHA512

    0f57f456c7e6af19e94695df38983b251f81abb9e47a31d8831e2f4304c09e82a8fbc1a4e554b2953902823321f54588e066c037476376cbcfbcce8f98a06846

  • C:\Mint4M\optixec.exe

    Filesize

    3.1MB

    MD5

    983d91076d128fa70e4fb2ba14553c2c

    SHA1

    04cb956b20379f1db25e5581502732551f85e2c5

    SHA256

    bff44e1b659ba7864f41c14ced34ea5b9fa9b3b4f89337d27917b0e001691454

    SHA512

    6cd05e49364df66e0e54731914304020f844278a784867737834ca9ba6a8c618c6a6e11cec13b7186c10ffc0e25f78df387053ab8e86f86f7a6dbc75faac00d8

  • C:\UserDotXY\devoptisys.exe

    Filesize

    3.1MB

    MD5

    a23bcd9bcc2271d3305712734deb86df

    SHA1

    e571d8260c1b11b5855e442d1fd5eae863063380

    SHA256

    05564f8e200042cc920420b1cc46f4d96f7546eeb2a362658871cb71071c3774

    SHA512

    30fc05df0c063c0aa840d5993bc23c5e20aa8b22ded5d7868658955731be0680fdf33e366c720d57764677c3ce1f15b9c5076c38073894a9ee437bf09f990853

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    b1be5461e8ed0fdd490776935e800386

    SHA1

    b6de9671a467188583deacda01eb81525692e921

    SHA256

    e5323be30ae88ea7960307cb941a069cbe3216db3010954beb5b76bb5baeb27e

    SHA512

    e43df038a4174cbcb1c3b4e0e7dd889af6af90ede5a01b12824bcf683cc71ccf2fa3a35ed960a0946e8be778b2b9803ee0baa1594e8c455836a4600795d792a2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    caf6408a219965c3a2cd29fc315d02c9

    SHA1

    b5513b155e330264b799edb07f34888765d9cad4

    SHA256

    a3204a8fbf8aeeb5713890f513619a1a2c7cd613ece0946f4cfc30250dcbec34

    SHA512

    f11a3f465b238cb30a221e422b30d92fa8cea42985bed22e330089910f0cdba222f45ad82923ded1a7a1bfd810ccd76e226cd564917bff71c838da0b4158bec8

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    3.1MB

    MD5

    cfccd03fb399fae0df49b9a5137d9879

    SHA1

    bbbcba2a9ebcfb47e68efba2d96626e3f540e435

    SHA256

    a0a7fb72c0c48f692e1291597fac4c8a1d7d19c6fe6d601e62d8942c61bc7a17

    SHA512

    5aeb526aa3d8930d46a89e05f00a3c1ecc18e6bf85fb46ce0e106aa0a529c0ae976410d2b4e1e2262fe6e8234621715bc1d2ffd89e5ebc89b7d6e5a00b65dea8