Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 13:04

General

  • Target

    3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    3ca6e86a4c59ac5490197169c427e720

  • SHA1

    ff47d9977811d55a4402645f2e0fe97dfaea1563

  • SHA256

    5005583fa4f8c5871a75859089148fef2e945b754405f7df5fe22b5e11723c8f

  • SHA512

    4ce3c441ff80e13f47fb2b4e6c94fc0365ef568dc207726fd6337c61191a611bc92b5cb03b5b875017cf56c0422c8bb917154d304ea2a809d9c9817a998625cf

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8:sxX7QnxrloE5dpUp3bVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4576
    • C:\Adobe7H\xoptisys.exe
      C:\Adobe7H\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe7H\xoptisys.exe

    Filesize

    1.4MB

    MD5

    3f85beaf970f439cbe76075586c90e81

    SHA1

    f71045bcda4a2af38e332e1e38bf7009d0421a3d

    SHA256

    77235988fcad75b5797d5c575658143c5738f6c0b65b64fd1f7d39c2269f6a5f

    SHA512

    e6f2857635855be8be2b16a057239fadcbd7c8239a1c2725f4bf8c03bd455903dedb91bcdfa625e1ad3360af80a7ecdf887c52ae96e7e2c97a52da4e19f93a1f

  • C:\Adobe7H\xoptisys.exe

    Filesize

    3.6MB

    MD5

    cf6ed2bff14a722e416a6a998e6c7fc6

    SHA1

    f584847591f7748a78f4367f61e58d0f73f0b6e3

    SHA256

    044133cd5ca4ecd39634a17212019beddd0a8023da7e01ba86771e78cc97746a

    SHA512

    a9a81f98a4d88827705bfe087638c7010f4ef840a41f3e15b83ff72ad21a9483a79f810031c404333a154c276322421bd5c4588d2f68cc9b10900aed75d29f57

  • C:\Galax7B\bodxloc.exe

    Filesize

    243KB

    MD5

    d485821803759891c719fdf3ed0e8d7e

    SHA1

    867ad8cc0a3483b517078aaa95346df470093355

    SHA256

    97f90fb3f83bdcb5fa1f3f975ef440c8a3f70ccd0e3229e39e22a32b27db4a15

    SHA512

    a88615e54d1e8eb453f1e3db6c6fdfc57b9cfd77c248018a37f7d7cd81b6b54c5f29e662e8b075a17e2cd8c8ec417ab6a0f527223ee84204243887ce2fdf30a3

  • C:\Galax7B\bodxloc.exe

    Filesize

    303KB

    MD5

    39baf1bd01bfc2eabebea56223e7f3e4

    SHA1

    d7f8505ad4245753b9ce1fb673d4bf24fe478bc0

    SHA256

    a17c9d4589459028432b687ebaddf2538f65a939ec0f9c2c1b3506b41273efbc

    SHA512

    7d74fed9cc93c97460701b53edd28803726d38b9ef4c043796eba33ed5d394a80bd5025611256d930b894bbea91ce5ed4c85909569bb8f2836c60275f588d97b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    b7d4e789dbe8aaff0e22005232d66884

    SHA1

    561bb99b8bf60cd817be81e70a1514013689ff99

    SHA256

    c7f42ff3fade416c4e09e9cdebf5138afb6512685c9b752d71f535446d8d5eb9

    SHA512

    9772d0d833083c9f49d10d230410304c5e2cc1c361d08d88fe665d101dc041a8ae5b7a388fe62086ff833a6ad91f22ebd3d616e985b3b96f7705ec292c1f2943

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    ffaa8f5b267d209a4b61366b458b0679

    SHA1

    7f9effe04f4a1de5f0aae4ef4659ae94d7bf9264

    SHA256

    2d43757e34c4cc2f430a8e4d5c4b3109a2b226d49086e751cbcacf0cbec4cd56

    SHA512

    8ec34760f695bfd5effabade3d4d982c98fa556379f058d1590b7dafbfae5f0fef4cc33e421928739582a603855a350b6fc71fe2df5e50df1a8c630fb0eb8213

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    3.6MB

    MD5

    513a5c2f5e70d6850168036eb4a6dd73

    SHA1

    bfa00843a4ea9e8a9e4ac3c36e0c3597cae95233

    SHA256

    88a82acc196db2828f959b059f76595fd33e3af9ce85e9a10dbb085084d3849e

    SHA512

    7950a78aded65ae7cf50a6b136ef5f41ad6eabf188a2596ed16965d3b71deba501c5a5f60b4559ee0e238d97a8837b0888889ec01d8aa73ac118ff23a6b7ddc6