Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 23:52

General

  • Target

    4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    4e162a2042a856d33ab3989d2572a600

  • SHA1

    325acaa411181457eec41cfdbea6cf558354be7e

  • SHA256

    1ab17e03fdada90dd88aae5d633dfefbc9b2b213be9d04a3cece47398026d5fa

  • SHA512

    349614707e46c13d4f970cbd19b620d5b8cfe4dfe48d21296ddab97088ac58d7f59904c4cfc4e548bfa9008c9cd2a78a9b97f740a97c1197ff8295c859ad5be1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp9bVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3112
    • C:\Adobe7H\xoptisys.exe
      C:\Adobe7H\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe7H\xoptisys.exe

    Filesize

    576KB

    MD5

    3543c1e396994be5e6bbca6203a5cd67

    SHA1

    a949179331a3319ce028d10fde280b2d3f02bb4a

    SHA256

    791e90b8a2084e31c50e95ea55ecf0c4b99a20c49e2ae7b1a5f0d679ff4e4858

    SHA512

    52c9c5d5c16f9f9ceafef516113959565fcdc174f3434d748b4e2d71de81905ed0afee3e5092dec8ccede38b0fb6291d973a15e7367ef717d9dc8afc1e079391

  • C:\Adobe7H\xoptisys.exe

    Filesize

    3.1MB

    MD5

    1514c5739dc79fa7e074dfc202469a66

    SHA1

    4b843a3811ae464b66ac8e496cbaf3c0fb6d07aa

    SHA256

    d1a01a0ac306f39fa0dc65d271d7f80d63a9c4b93ae320758d95638d97605f29

    SHA512

    9027ee1b867c8be4b2d36b73e616e7f817f84704fcc131bd3d3b56502c6ec2a23c41d8ad65d4043cc91f58bd8af241f20e93225222b60561a31cad5547daa69d

  • C:\Galax7B\bodxloc.exe

    Filesize

    281KB

    MD5

    9dc5258b4d283aa317e1b9eadcf93fea

    SHA1

    72eaaa74287a11bd86f9df13853578d7baa745fd

    SHA256

    46797b15b25dc39ca25533f01835c1a807956f1e86cb64124140939aad99b6c7

    SHA512

    ab5c0e5016e8f9cb4a9f2a7e502a81bfa75615208c25981274d1c6e944fa660b823747aa61dbef5299392e2f44698350f859e5ca960490ec7609552043443bdb

  • C:\Galax7B\bodxloc.exe

    Filesize

    28KB

    MD5

    b2c1da885985d7126ff7db091c16829e

    SHA1

    57db532c749a57aa968b1a36590d08090165448b

    SHA256

    d57eb32787d6841d7ed65183a1c8e1f3f343fd04383108086dc973f97b649076

    SHA512

    81ce05eb46346421e265eb6cef7b1c69fb3d8bb64f5c88bf5ba76cfad3aca9e95a6ce6cae81e14884bf072a6ede0b2134bb5a2061cf8d01ca7a87c760284b6ec

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    b7d4e789dbe8aaff0e22005232d66884

    SHA1

    561bb99b8bf60cd817be81e70a1514013689ff99

    SHA256

    c7f42ff3fade416c4e09e9cdebf5138afb6512685c9b752d71f535446d8d5eb9

    SHA512

    9772d0d833083c9f49d10d230410304c5e2cc1c361d08d88fe665d101dc041a8ae5b7a388fe62086ff833a6ad91f22ebd3d616e985b3b96f7705ec292c1f2943

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    ffaa8f5b267d209a4b61366b458b0679

    SHA1

    7f9effe04f4a1de5f0aae4ef4659ae94d7bf9264

    SHA256

    2d43757e34c4cc2f430a8e4d5c4b3109a2b226d49086e751cbcacf0cbec4cd56

    SHA512

    8ec34760f695bfd5effabade3d4d982c98fa556379f058d1590b7dafbfae5f0fef4cc33e421928739582a603855a350b6fc71fe2df5e50df1a8c630fb0eb8213

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    3.1MB

    MD5

    3597cbf638cd8e1b3865c0832c73f9e1

    SHA1

    315b91825f9dff1ab80ba4591819a05494960581

    SHA256

    c3a40475e296fc0eed01284dc0f7952bb93245e1245ba116c93a45160f385eae

    SHA512

    9dfe956be7799c692d24c05ada67e5e425117fa6100d8f6eb3761bb70ea075492acffb33e32a0fd956e48240e37216d55cfe949cefb7fdcad4195f4bb1cd4d62