Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 04:24

General

  • Target

    5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    5e1c8de89597847d39f9443b7bd03160

  • SHA1

    d10c16c03ba59aeb9a0b2d4fc5d9e4bae428ff53

  • SHA256

    bed0368aad6f2dd8cc6c15bfe538b4c87997c79ff4873d47b2a6f2f292cff3ec

  • SHA512

    b6f4d75a44e3d23666e3fd8f6b27255771869f6bf015a837289602ae31df63c818a8f3f352b6e322352f3d78f6e0c070fbbc45c9a4aed926168331dba444a756

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUptb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2032
    • C:\UserDotK9\xbodec.exe
      C:\UserDotK9\xbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotK9\xbodec.exe

    Filesize

    447KB

    MD5

    1dc38781176be25e3600c2ded876f946

    SHA1

    3301054c4f6ccb51a665c95923843147d4b8e0da

    SHA256

    507947cde9fe9100bc6973b1cd88a51966a55c85564cb795a4b5679c51754741

    SHA512

    60f14fae2b0b05856cb44436c2e6b9fa567efe08e13e3db85e15925e3313c4a51202f7adbbade58a9e7bb766072cc10ad6a063cc7978b4204104d140281ac016

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    65afa83001750f48b3c1bf02241129eb

    SHA1

    ce386ad973ebd75388015558323e727f0dd6ebd4

    SHA256

    d1c45d8afc2b87b17040e2f715d772d29a1898048d4784916123111a8eb0ece2

    SHA512

    c3f2b1c54ae38919de91a6df9483de4ad117fcffe81754a5ac407506bbb0d9cf4d9fef0a672d5000c0a94d9444e436de2b860ccaecb6ceb5c4d19fc888d24f87

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    b875f1ababf6c10a134628e46fb02260

    SHA1

    e0196465319bcfd2848099bc262ddccab5119221

    SHA256

    fb564aa85216bbf7b83e2e00c24151817c8ec269ea17bc82d6c2f1f00e094373

    SHA512

    8c1ff915814580294436697a92effaf00ea5ea555b5a52e1bbbd3011d2c896779095ff12781fe3a51e4316e664b0edfadd48cfd38a954cd7ebb61f4087efc011

  • C:\Vid2B\bodaloc.exe

    Filesize

    2.6MB

    MD5

    6e39c2b845e876b0ed80dd21033084e1

    SHA1

    1f5ef2476f191f31f4031475a68b15e2167cce15

    SHA256

    8947e739c341a7af6c31010f252ff99ffb11e7c10850078bee19d9e284e15eed

    SHA512

    5a575ea5210b981734b4f92037e44e28ecd2e1598d5f0c61fc074f4f761adf1ad7d35f1a74cbda099b4067c46d8d4a3bc271382defc8c3dffbea242d87b30170

  • C:\Vid2B\bodaloc.exe

    Filesize

    2.6MB

    MD5

    ebef48138c153b4db5866b3d2cea6e9d

    SHA1

    c39d69a4435f466ab30c2dc1b58828be325a9860

    SHA256

    166834794c8228d52e678eae929251e41fb679be515442dd507d4cfb3462e743

    SHA512

    9af7b1a6f9d04d70b02c5b4e98514df1466e14b6b7439deff79b85a5b44f7740d05713e30a5e47d9cf04af572e480fc056cccb29da963aa673d685c59e7b0b48

  • \UserDotK9\xbodec.exe

    Filesize

    2.6MB

    MD5

    e81304f18b262cfb5883a916eff7aa01

    SHA1

    32d2ae042d6b105d208c0fd1dc797aef8fa36085

    SHA256

    640c9d0906d02b843944875941cbab6f30204f1f4bd7a7a42f89100218ed086e

    SHA512

    622864b1099785eb3a0885c8a7faf9fbb5b02966534cb78a8e8093a668aac56d6356f5d2b8f1807c8a1a8464d13d6c5a4c4937f0e97ff7ecf533012fc986a07c

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    3185709dc78f047c88e0d6cc7916eb46

    SHA1

    3b7b8e98a3a55f8432951e5caccce5ccb75e9d16

    SHA256

    ae23b91f627cbc61ca37b6c0e9ebef1552e834dd617c7f0361818f8040c55e5a

    SHA512

    944e4a1e926283fa8c1d633320734eca2805d969151cd49d1f1606bebfe910b26369099b2472c0d86845875c1e112607912f2b74fcd9cdc8eca436a357cf13d1