Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 13:06

General

  • Target

    3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    3cc47c00cc72e68a881ef4960a223220

  • SHA1

    77afc423ba05d7bda519a0b9a22f728d1dc12174

  • SHA256

    6183d1cac848af34e0dd5d796819d29311ee895f8f6db11635828b9165c77032

  • SHA512

    37a4ddbc3bbac34303bfcca74fc060807d5e09170fec73b161ec2a017bb90b6409211970fcd184ead0831bcc175115f31347bb386e6f0df56e9de68a36cf280d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpgbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2916
    • C:\FilesPZ\xbodec.exe
      C:\FilesPZ\xbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesPZ\xbodec.exe

    Filesize

    3.6MB

    MD5

    db82c8e1e4e4fefe5a0d7cec2843a305

    SHA1

    d05dbbcac3af5e39f998e22c21508527e29ef50c

    SHA256

    cf31f01b60d529c823eab3038703f966a5119931fa025cce40a87e1633db4a1b

    SHA512

    2a553814ecbd8470edad3dd19ff12da80da4223dab37e1e9f0f9485d0e4cd8daef6e5c1b24bfc1bd48305c4af9ef22309beaa4dc23843e265ad3771abc2ea5c1

  • C:\GalaxQ6\dobdevloc.exe

    Filesize

    1.8MB

    MD5

    578ea6a5f1ce4cc1f96ae7d42d547280

    SHA1

    f752c611daa10ff3e1d61e7102656b54b7da73f8

    SHA256

    63c82c22e112198afdc6fd036e389534ce6af6144c64878d63a2ca97ae93ba26

    SHA512

    6f2489060890798ee1d804fd11b889bf10f62c5c09f09c11b7f125cd5539e9d39c70d54e74e2bb3274de73138b8027598182c04033e1fc91ed5432481ac16348

  • C:\GalaxQ6\dobdevloc.exe

    Filesize

    3.6MB

    MD5

    c734d02e63c97aac94d2ff8d5cd05f27

    SHA1

    e110304fa6ab2fdbe456508c594d62100a9b16f6

    SHA256

    2e069205cf05d49aa48ce2654d52ba962c6602a7214ce6a8e713e8c41a8e9b17

    SHA512

    c6fd8f1acf9ccd8b3747338206cdaad775b6329d988131bc81d154466627f5b8dbaf741d83fc3dbf9e1a633d994b00ce598cbc1eb89bbebbe625d467fc2ae158

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    5095d66016193fc4a6d95b149743438b

    SHA1

    180f6d217527436aca754d676c41722adfc5b561

    SHA256

    9c6211ff7db4d1ccc006caebe8e48435108793513d2ac4acb39cb04ff0e9ffcc

    SHA512

    c753e1f2203e22f062b40049521030d99660e3e9a93dcbac4f528bf13a98fc86519c4c303d79b2f9a8e842f26b8d111a181bf5bf80b6ebf151dbfe4b8b4440ed

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    7b71a09ae15f11393d34f50165929ad9

    SHA1

    de3fd1480334a21d562209cacc0d8922f85f143e

    SHA256

    efa3a58e48ffb1599986ab2a6b527289989864016b2a0b87d60ab413352d1bd4

    SHA512

    f55953f8302a5e32864c3e820ea3d680083650ef254a303b1d8a5d0daeb018cd904f141b279f06617fb4c61a46e9d5dbd3cb51d2db9b3ec78cc67e7980aa18eb

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    3.6MB

    MD5

    b0b8e50db8cae70071bfefc8a19a50c9

    SHA1

    3c2c57d1ee9323c08cd09ac797b826d74f19dbc1

    SHA256

    504030fdd103c27b4089b5a794a55308f8de422f4715088fe11de068746adcd4

    SHA512

    0539332b2e22ff7fd79d48b39219bcaf44d603a129f54e174259fbd636bd33de172ae3b561addf029b9db2590383f5df35dc7f4daf8af3e530c9f782581bc497