Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 13:06

General

  • Target

    3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    3cc47c00cc72e68a881ef4960a223220

  • SHA1

    77afc423ba05d7bda519a0b9a22f728d1dc12174

  • SHA256

    6183d1cac848af34e0dd5d796819d29311ee895f8f6db11635828b9165c77032

  • SHA512

    37a4ddbc3bbac34303bfcca74fc060807d5e09170fec73b161ec2a017bb90b6409211970fcd184ead0831bcc175115f31347bb386e6f0df56e9de68a36cf280d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpgbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4624
    • C:\SysDrvRD\aoptisys.exe
      C:\SysDrvRD\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintER\dobaec.exe

    Filesize

    576KB

    MD5

    1813890ae3ea9f2197e18015ff9122b8

    SHA1

    7bee4e6f71c91b0b575acd3d46d2f7e41c8aadd5

    SHA256

    46e0ce27d3dbd82e299f0ed515128f4762561d8aa0dd0bbd7b73f8e49e806315

    SHA512

    8adc15db5f816602c4240fa0860ffaa4583e31abaa313ed2f039cd52dca7d7f7e3a6957939aa2e9cf4f955cc358582393ddae016e2c23d0c5e86372e8a384667

  • C:\MintER\dobaec.exe

    Filesize

    1KB

    MD5

    81306907a8898717e74eee7fe3ec9748

    SHA1

    6871f1f920d712de6120473f387e1497841b3829

    SHA256

    1b17bb743b1a2dfc12895dffa0a7b9b5daf090d66b71008fe29879bad1786322

    SHA512

    205b7de43c582a32ad49cb599becf76511d0269af1df1adea82987826d020f7e62e8b53e8f82da5c2f44154cdac459eaa4fb29ea6b720b0cf9d5e5148fb62730

  • C:\SysDrvRD\aoptisys.exe

    Filesize

    2.4MB

    MD5

    95b34ec8a31d0ec3abd07d4677803b60

    SHA1

    058221246f7fee09356a1d810b027a0a15ec27b7

    SHA256

    f61247540a7fe46ae909d911bec84442789841bdc14575e7e3d40ad9d1e5cc99

    SHA512

    985f6a747c5b46f25e129fff1877a3b48d271a13c298f30e460b490979d7a2303a2cac51c78dcce969f7ac9f1a6f288a48a5660f5317ddcb07a4634dd7a79499

  • C:\SysDrvRD\aoptisys.exe

    Filesize

    3.6MB

    MD5

    83ed8cfca063f3de619b965d1c331421

    SHA1

    e32259277cf7f34f1ce26690e8fc2ac17a2069ce

    SHA256

    80feaa2ca102104a04de50981b2302e14bdc1050df4e4e3902a3659355fe6445

    SHA512

    594be7040aefd0a302e76cad7d9e6f4b98bb6d65a1a7c3e15ceb54b3154bfe7aebd494084c1365bd0cbcc2bcd3a4c6327f40f483edcff0a7b1f979330bfc161c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    c9b6cd193b94db01da9adbb25618a35a

    SHA1

    9d109148f6c175cd6c65a9fc04493f639368fdf7

    SHA256

    de0fa00a9ce9d52a49b813006b750a572b9059d60a27265056b362ba312c9716

    SHA512

    8400ae86d7b693018e9248c46b79ffdae5878fa11ae52ff0460b52224bf7e4e548fb64c1e189cb79d9eeb692f8a096702191273a5536f2cff1697e2b5cba3b4c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    ecfd3557d2ed18ce4069985ff03ce708

    SHA1

    afbcfbfab8ecd2131a0a4c811c67556f216f96e5

    SHA256

    e3d6a3ffdbba19b892c4fcd928ce0fb87d4af92781f1e6259dfe6f4395e9e356

    SHA512

    16becb18d96627480354947b9a2ae94d337e78f4d92766d77b6aa4794cef9c9dc6e4426d5b38a3dbdf8acd2973a3f299228f3cb88540ce424001def49abc9b8d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    3.6MB

    MD5

    d2f856aeceddd993ddcbbbef76b3e62d

    SHA1

    51ff96506d2d6012c91e9a08947805e48287b06e

    SHA256

    ea82aafa160b28ce8cdd67b5a448d39e9fd4ca7655e2b4fcc6df4b3379293737

    SHA512

    977cab8cce9fdebaef6f7cd841841dfb9f75fd0251302a4b27f3a089f13dc860616e7a48a0a648328169a85a6d5d8b8ec8463e6f2fc60c8bb548d19923b1ea87