Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 13:04

General

  • Target

    3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    3ca6e86a4c59ac5490197169c427e720

  • SHA1

    ff47d9977811d55a4402645f2e0fe97dfaea1563

  • SHA256

    5005583fa4f8c5871a75859089148fef2e945b754405f7df5fe22b5e11723c8f

  • SHA512

    4ce3c441ff80e13f47fb2b4e6c94fc0365ef568dc207726fd6337c61191a611bc92b5cb03b5b875017cf56c0422c8bb917154d304ea2a809d9c9817a998625cf

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8:sxX7QnxrloE5dpUp3bVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2888
    • C:\IntelprocQ0\devdobsys.exe
      C:\IntelprocQ0\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocQ0\devdobsys.exe

    Filesize

    3.6MB

    MD5

    db355e50f8db9e5b2c0c6df33eaf579b

    SHA1

    5025e1e6d3faf06c4f49aaf8ffb13eabd8688f0b

    SHA256

    c6717e13f79c71f63a1296e8e09eba364d0a0e55a5b1689554a8d61ff37d438e

    SHA512

    f45e0358d9ed596d79da0332fb640a50ca8d9e52fed339f7eed698bb86bce5b41035d1731a048b6e09f3f7c1e0b8fa0633c457386e567997d175346e1fe363b7

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    b88d0ab625398d17b0aba6f18964ad0f

    SHA1

    b30e945ca80c2e1805dbadbe8381129a17d9bc10

    SHA256

    65151c82bef73a4081b6085dcc988b45824c27f978a974ff0fd167dbb3bbf402

    SHA512

    bccf85d92eaa4f5a3168cf72c97d3188a7bda83e551c837f66e21f91118a4d242289bcdcdd75a74e213f917bdf661ffb09c2c67b63a80540e29bd9224e75a6d5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    36540c1ddd4d5293339dd3bae83466fc

    SHA1

    589101cc087400ffd1a9bc2e27674ee9e1538c49

    SHA256

    1f334134c89bc2c38a7dc0c9ed99eea1b307e32bb6eccc5030e8164e728d5b9f

    SHA512

    1884094807e779ef2abd931206c3bfce4a9cd4e01e7a53f0eb6db15881c68acfb4488d40ea34ba0c281f42968aa24d7c61dbb8d4977525b6509b511e0d4a0719

  • C:\Vid95\optidevsys.exe

    Filesize

    3.6MB

    MD5

    b29a72601251746414abc29c606ad768

    SHA1

    514d897cf8590317d32fc72c66fa9d57a0f4d5db

    SHA256

    9eb7276d9be2c5f36e5396ff694f69205e49416d133cfd03421ca930c5884822

    SHA512

    059b99e976870a216b0a5e9ad4b9faead797ccb1c5ffc6f4232ba175d17945a3b08ca85936462f9c5d02cb1ff1a3b4fe4e9d3bf36564ed572c10fd5d6cf5921e

  • C:\Vid95\optidevsys.exe

    Filesize

    3.6MB

    MD5

    06420e2c319188be1b1755419f3c087c

    SHA1

    75da99c9c2873309d43006d788cd586ae3e70193

    SHA256

    8e67cd528e7f94b8e3153cb4e5e4fbae5ceb282fce8219e397a6d141f7aa9139

    SHA512

    253418e5e2e2560c72f232bb0ca122f111274eb0cbac61a59e99c58a9d5ab2ee015ec68c60a72d953e0fa092d9cf18c6180c6e0a29725c0f05792c1feb3a2134

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    3.6MB

    MD5

    a63651ebe4843d04a7bf7437df70a4d0

    SHA1

    9baaea919f3bd9d9f1de1e859d087a680730a0b5

    SHA256

    0fee5ce2672ff97d9c9364d406a6666513f5fa69d9e2c307fe528d3a13d88afc

    SHA512

    fa0101ec88e32d16830a67ce3b8b09e37896d1d3ac622261f670bcf6a35751dc75a0baede793eb2572613c8448e302433d3990c7a6d2a8d258ea3494386a4566