Analysis

  • max time kernel
    150s
  • max time network
    58s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 13:36

General

  • Target

    3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    3eaf7470bab5b68d7c069891d99d1d10

  • SHA1

    ef12bf5649f38fcfc73aa9d030c4a5d0805b2a61

  • SHA256

    a61ce869d228e1e79be2462fa23779dd5a1c43642e470b7ed4232b48c71cc393

  • SHA512

    b99ebb867fd982a9cdce2cae7c21677000fdc98e26939d2dcfd3337e88394908bdf022ee30c57f964d0fc44ceab3d6268fc548854840b5b55108aff8166f7e2e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpFbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3684
    • C:\FilesCE\devbodsys.exe
      C:\FilesCE\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesCE\devbodsys.exe

    Filesize

    224KB

    MD5

    b731b70145c43a143d27cf6848a24258

    SHA1

    9263279c18df5ed1f740cd5e37ca036a863ab6d8

    SHA256

    e4d88d91f5fd4ccc7a4a5c7a8ad227c1614d755dd6f631a2dea77b03c94fad32

    SHA512

    5146cbe28e812d8e5916ffa255f644ba4ded9694aba32be3a070b33e42d4f4e9a997ec86c65eb6ae30eba29cb6722e267fea70ce4f509397e3df84394a4314fc

  • C:\FilesCE\devbodsys.exe

    Filesize

    3.6MB

    MD5

    feaebd34544ee1513e10f8e43b1bdee9

    SHA1

    e0cdd86436a49c8dfa621c02de9ec6484b049912

    SHA256

    b6b43edc8adce647f60eb181e06bc9ead843ab84837e4bcbcb4e89f0deeb365a

    SHA512

    7df3910ab6514cc5154f31a80eed4c2f5efb32e2e39cbc34ba843bff896596002e12052f871df2cfdd63254e71e39f63601aec7ca08afc39d8a5c408c8aaf855

  • C:\GalaxBB\bodasys.exe

    Filesize

    2.3MB

    MD5

    1297dba194a453ff0464617478cb7043

    SHA1

    d8ad7a17e7cf39e03075c6b226067924a2d45a2c

    SHA256

    1ad0fc38588c1986e68778fdd1bcc0c2587b21e777a96e2e9fb3c19b08e0d7d9

    SHA512

    976fdb69bd0f9f51b1a607504bddd780661eb442e4fded5ee51cae8596744560eb4329b116a98aaf47f805f8feaad626818f414af1abd3829f9442e213d82e9b

  • C:\GalaxBB\bodasys.exe

    Filesize

    637KB

    MD5

    eee8d9f20fee55fd343c4bcb7f7912b8

    SHA1

    89c7ad700bee445dbc4be43b2fb57317d3e5ee39

    SHA256

    26cb1d36d435274acc02ccda99098e9aefd225bd6d32c804d59aefcc7568027f

    SHA512

    8c15291604d75db7627b634118fb9ab7b328ae3a3c3de40555d39e098d9b6ac64e626dc713beba41332bb12d8fe130cdeb3c381825de6b3e7639ecd50d37f21e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    149ba287234ec6a6b8169576e1aadfcf

    SHA1

    3383e14dbc03c422f744cc35af8b95a4b2d57a3a

    SHA256

    756def2c16ac82b4c460525e92cc52c2c1bcb8f89427c777bb26ba63f7237eea

    SHA512

    69c64453fb4189f79821a304ce86ad8afc303998b0debb9032d7ac03d8f6755d2d87a9b470b38718b894380a2f37c29da35c7fb29e2539ac322d8cd91a3d9df6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    9c0335afb7926be7511922ad5b2832d3

    SHA1

    e8ac7ce3e1f7643524cbafc61065d8701d7337e1

    SHA256

    709f48dbd18de4a2f1e37c21b777e0d5f730fcf974959c236fb1d53d6c6a969b

    SHA512

    bc4ca321f0f5e3778535c296bac44d7d719f0707ed93da69f4251100aae0127476ac581ba0de26e0211b58f20e32d7931caebce3573d0686c99445008baacc69

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    3.6MB

    MD5

    fc4228d25b96f3b64f21bfe2e509b573

    SHA1

    c80170a5ce0f7cc639f64085f389e687281ea9b9

    SHA256

    1b4d9d5e9409faa5247c5b6a7a96ddb5bf2e60716818d656086e22111d6225a7

    SHA512

    839d2953bdbedac04ce632f9156e39589a0dc88645f156c80115b38b33c6263f841b886f58b4900b5f369dac81ed2f1abf7af6cd9a004ba29150dec706238e57