Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 13:36

General

  • Target

    3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    3eaf7470bab5b68d7c069891d99d1d10

  • SHA1

    ef12bf5649f38fcfc73aa9d030c4a5d0805b2a61

  • SHA256

    a61ce869d228e1e79be2462fa23779dd5a1c43642e470b7ed4232b48c71cc393

  • SHA512

    b99ebb867fd982a9cdce2cae7c21677000fdc98e26939d2dcfd3337e88394908bdf022ee30c57f964d0fc44ceab3d6268fc548854840b5b55108aff8166f7e2e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpFbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2936
    • C:\FilesSL\xdobsys.exe
      C:\FilesSL\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesSL\xdobsys.exe

    Filesize

    4KB

    MD5

    b61f1c7ad73efe910c92dd7a7c9a7a0e

    SHA1

    da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

    SHA256

    b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

    SHA512

    224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

  • C:\KaVB63\dobdevec.exe

    Filesize

    3.6MB

    MD5

    338e21da131f88e04267b9433fc8e9f1

    SHA1

    1c487bc31aa3d318edaeb201b8af6f398082bd9f

    SHA256

    787e05509a1ac83497e00c8e37d18af5813b7e36404adceea2fc5b1a634d40e6

    SHA512

    9832ad7952dfa453eaf8eec5290f9f7d971c496cb5e3d0ae080f8de99269150514ea35b7144d8d40212540ed09787400352f671a6fc902a9a416f82cbbb4fb24

  • C:\KaVB63\dobdevec.exe

    Filesize

    3.6MB

    MD5

    e830087411efdcd6ee7c86ff663a5dcc

    SHA1

    a26be9dc1772b362510d64e0ceed869565401b47

    SHA256

    f3ba3062e8091c7256301e0fe003d44f1167b146992ecc60bb0a92b002155bfd

    SHA512

    028e3fc2b442e81b99df14b9c27cc94065ed5cb7dfb410042e36cc381858f7736a160a2b1de6ffddf6a5ce02db3bf154a48376bf8179372c04063bc32051cb19

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    effce113e232459b6e0ccc582f352260

    SHA1

    b1893084bfe742fe7f99c3ca9a05bd13de2d5033

    SHA256

    cfceee15d97b25c12f6a7b512bf07571b24e014d24802ed00532d698a30d5009

    SHA512

    5571fcfbbeb5abaa733d2b1b68d365c1bf9690a1514667d7f1548ff58d20675a62fc3eb5f9ac1b47fc6200e9ece64b199cf81631c252d4cb4e2cf481d86267f4

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    ebe2d7a152f22413bfc370203096cf17

    SHA1

    17c915a1514693a9ebc48f1be09c84553f3e388e

    SHA256

    46d7cd789c128c1fb151b269955af84a8290542274b7c600696f7b1e49f464c2

    SHA512

    172eb29337559035308804c6aa29c12b2cf15baeeb484b521088c03a104d83e2dcf0722189946eb2a0eafa9c9a15783ca3689071b3841b50f1df37d44fd0f61d

  • \FilesSL\xdobsys.exe

    Filesize

    3.6MB

    MD5

    499a197d59b4f620aa5e88cce177318a

    SHA1

    a063aabe3234b3084c92d75e007a6cfd11ce6bdf

    SHA256

    f9deed4a442c94a7512671c42815529567b46e407451cb1be0c9dbe6fb9796fc

    SHA512

    6417fb4bdf4ba3ea7ebd03233a68fd46c152482f379d0efcdf11f275de19276dfefce33bfa9aabb723e16c4a3e90420e4afe25b27176df41d78ab52ce09ab7eb

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    3.6MB

    MD5

    ff85a2645af6bcabe5a075ae972c94c7

    SHA1

    137b63dd09244fe8dd14aeb386deb733dc3b3ac5

    SHA256

    2e5223f069b5231815808d8db240043502d6bc0ab273e1a167edf2855b61737d

    SHA512

    b6b2d29d91d19cab288bf19740419d54f5e92bb69aefedaab4bfa496bde47863b1f1edf095ad99a3e23d2f3ed074566e4a6639942b92bfc30ccc53cdd6ff98f3