Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 13:59

General

  • Target

    400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    400a6face13f1fb9d5a6cb6140049db0

  • SHA1

    b48827a61837d78b608f5389ea755c018a540de4

  • SHA256

    9d7efcd09159543f94224209438afcb565240f0a04c11a33d9bd022a705f06a1

  • SHA512

    e449299967c4ad0cbc3c92ea3cf3f15c7035c99e913fe6e6625f10a92511c5c395ee9f62c3f2a015074236598d78192c4915bd480d291461349bfff5976ee6cb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNX:sxX7QnxrloE5dpUp8bVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2172
    • C:\AdobeD8\devbodec.exe
      C:\AdobeD8\devbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeD8\devbodec.exe

    Filesize

    3.0MB

    MD5

    9e975c37e7c7a1aad16585c7e35d52a0

    SHA1

    1a06478eb20271911b7568436a54dfbbc8a00ba6

    SHA256

    d58048d54d222d28cb1823a9361f38c97fcdc30cd05daa47b7f893879a4241e0

    SHA512

    83a867e6376a7907718535f838bfab0b3669c510bfab36263c1bc129ef4fb19b22b10788c354e64f9f5b47d1dba7d0ea00b162679b21154e32f2f5f2251553e5

  • C:\MintR4\optiasys.exe

    Filesize

    3.0MB

    MD5

    bac4a40967d76c1b473b8fa622fc4ea7

    SHA1

    5429e5d703ca6eda5958fdcb76d381eaccebd723

    SHA256

    a0817ed4cac64f7e915c6a2be51250b4d8a3fb68e50fde65ec96931c9401ffc8

    SHA512

    d046a678dc5f0e31e0dfd42b79fcbccb3a59a13d3cc1c7d387e53e194bf9f458b238e9b87f6748c8f1d27e66aa2150696b3baee0db9d4b7a15ceb2472f7a7455

  • C:\MintR4\optiasys.exe

    Filesize

    3.0MB

    MD5

    b854eeb81822e822d8816a73ae35804d

    SHA1

    4c6402efb465f40d65c737368cbd7a8e43a8871d

    SHA256

    20fb6310aa26757811e6c13f8da31205618beab4e3568c341860de34bfef9edc

    SHA512

    616e90f91085e6206118b9d22e09b292ad58d1e2703c4836b77843dd3880e1cf407acb875ffb885c8b4f33adad5fa9dce35fe2f40821039e63417d2535afc0fd

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    780dad1329e5a0514260b30fdc670802

    SHA1

    0a2111b16032892a179c5b25acab0bbbe2b9d03d

    SHA256

    aa79b147603ccb5271e88b84523ec718c7e387d05281541eda4cd6a8868eb713

    SHA512

    75f2bd676715e67101fd33c8b83fad363222b1d4ea301339e0e4a84d7ca704fe98658dc8374fa9312b3b94ea6043c5d2ab3e4ec6e7e5d06a2f37f9d48b82b05f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    6b1759eacedf4abc0795c2008b8c87fa

    SHA1

    6af814273ea81115f359ec8829383e77e865b3fe

    SHA256

    103a4e278c5fed08d89962af7f83b4c3976ad2f1f97a87bbc9cd19b44ea772c0

    SHA512

    b625b2d8d8dd9283f114bdebd8777aba6673b957deec36a39f7cae611fe4a5dbd57574b831690ad9980d6e735bf59371941cfe9445d8f041a3393cd384451fa1

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    3.0MB

    MD5

    ce4c119122a8085443db7eee9c589368

    SHA1

    8ff8b85555ac28a4c993fa8430da15d9fbd8aaba

    SHA256

    a62bb65a18e1bba520804f71d75a1e21ad852feb9b4d746d96ce91ea1d88112d

    SHA512

    d54cad9c6d6deca6b771c870dc9fd454d0e27012d2b9cb22f8bec0f2c6c0105d8a9c1f713c8e9be06d85e3c5f2201617f42854237d89c26830d30c0935359114