Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 13:59

General

  • Target

    400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    400a6face13f1fb9d5a6cb6140049db0

  • SHA1

    b48827a61837d78b608f5389ea755c018a540de4

  • SHA256

    9d7efcd09159543f94224209438afcb565240f0a04c11a33d9bd022a705f06a1

  • SHA512

    e449299967c4ad0cbc3c92ea3cf3f15c7035c99e913fe6e6625f10a92511c5c395ee9f62c3f2a015074236598d78192c4915bd480d291461349bfff5976ee6cb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNX:sxX7QnxrloE5dpUp8bVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1712
    • C:\IntelprocHO\xbodloc.exe
      C:\IntelprocHO\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4404
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3748,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
    1⤵
      PID:1176

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\IntelprocHO\xbodloc.exe

      Filesize

      151KB

      MD5

      2921ffe8a4e8a12530fb478f80db260b

      SHA1

      51d864e897362108cffcf37045a159c082c66a32

      SHA256

      cf732cbf467594c808a2b0c7fbdcfff3879f594881042ddc92907815e7ac4f2b

      SHA512

      3b2ede172f3b965b7346c22562d1ee4aa99a8784d9d3ed42e8e31d6b1b4db0a29fcf9ff089b7ae659d3ddfb1d115cff748ef515b4fe6ba08c329e01e0f113b72

    • C:\IntelprocHO\xbodloc.exe

      Filesize

      3.0MB

      MD5

      91c9cf90882419da245d635275328f70

      SHA1

      db7f9d99dc926106008969343da2d2d93de96b3c

      SHA256

      c09f9e85e482142a4147796a6f7538ff1197857827f439a46fa6bf9f55e86058

      SHA512

      4c197a83b570ecf16b1c5c96ee3209a82277cf1ef9c1f45f431a6a490a82363d71c435f66a240f9845a218b868a821b09fcc92fefd3af34f75f68b938f07f8b6

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      202B

      MD5

      9510f81ce1d1da57742e53239ed0fc72

      SHA1

      32efa6e84c91475696cc7e705217149c72e3cf00

      SHA256

      28361b2b330e347363be8d3a562122f0cd52f5f2dee99be824d8f4c2a9143023

      SHA512

      40751e80961aabb176fc3af31675774484c62fe6737242c9c98ffcb3400c669bc84a30113ecbac1526d61f7276ac3a2625c25917199adee5039334a18e2fd0c4

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      170B

      MD5

      44a186e229bd51f745b48e2653a300f7

      SHA1

      750a9fd8089b93b9703a990797f9badd1d60253b

      SHA256

      c0914cece68969587aac9cfbff3f69037ff02f1693efb68c26e74f9990d6b1ff

      SHA512

      a58c4adcecb1bb53f8bf250782297489440a8fc73db45a8051724532be6b1c5952be79cb2b3622acda13d1f767a0d4cf382b8c7174e3779b4e748be86da49251

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

      Filesize

      3.0MB

      MD5

      e7a517a40d84e634dceaab22ed0d64a3

      SHA1

      ae26fc521ee544a4859a1f500cdac3d2c7f71c94

      SHA256

      c34dec97ca67bc3e4c0b6b99445d11cbaeb6ed1f5deca1281672389637a1b162

      SHA512

      cff9ab0f4a31a4f917858df431de7ad373619851356b066352c0e8e8af3f5eec929dae4fa23408f9b986d8a1e0f4f046b72b40c18e0856ad7675ee499b2f775e

    • C:\VidTO\optixec.exe

      Filesize

      2KB

      MD5

      c5cfe1fb3ffc85f6f58808a90a25e91e

      SHA1

      ea78a58a967d2365305ccabf1b39b6f7b0a0b7e3

      SHA256

      50c90a817d63d059b816ac95af37989df34e48ec70ef2acc583abb3cf31cab51

      SHA512

      5dc1e22ba14edba2a7edf8e9a293b062eaede2c7b009297aaa3b1e6a770471f162799a9e1d7fa3d802fcdb3b64c0c79bb4ebb9ef8c89d0aa31f21e642d728cbe

    • C:\VidTO\optixec.exe

      Filesize

      3.0MB

      MD5

      ba4f640a21ee5061e0bdb1a1aec8bc11

      SHA1

      ff64bdfb13b631c3ae5756376f574e522fff116b

      SHA256

      961a4b9c7883c1c211c6e53ca0364bcafa69c13fba4843d07664ddf08eb8b543

      SHA512

      28e087d08b87d4f98e2fe30c4d455a0b726d0f2868151c1a264a353934face9b88a1bac9dd3333457f93c58e11d21f923ae008501fe7455911e875f2b6d403f4