Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 04:24

General

  • Target

    5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    5e1c8de89597847d39f9443b7bd03160

  • SHA1

    d10c16c03ba59aeb9a0b2d4fc5d9e4bae428ff53

  • SHA256

    bed0368aad6f2dd8cc6c15bfe538b4c87997c79ff4873d47b2a6f2f292cff3ec

  • SHA512

    b6f4d75a44e3d23666e3fd8f6b27255771869f6bf015a837289602ae31df63c818a8f3f352b6e322352f3d78f6e0c070fbbc45c9a4aed926168331dba444a756

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUptb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4524
    • C:\IntelprocFU\devoptiec.exe
      C:\IntelprocFU\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocFU\devoptiec.exe

    Filesize

    328KB

    MD5

    c4f83f89913d922645c736eca3a7d7c0

    SHA1

    e7abf0d004e66cd4e9bd82cad6027f5257f0dccf

    SHA256

    71d500d6c794da9230f8dde91cd41d6de5af59fea5eb4b1140e89914afa08bde

    SHA512

    1b93dac85ca2e7713977cca57705fdfeeb470dc1d9b72eb4858a2f5d30ff0c64b234425491f7576f3afb4627d41391f5237bbe75e3a8d9c9913f8014e505d595

  • C:\IntelprocFU\devoptiec.exe

    Filesize

    2.6MB

    MD5

    36dc548713e327e5d194c946b1dd8b4f

    SHA1

    667a693c695074b8e496b9c1b4ceac8fb16b96e4

    SHA256

    926cba8c61e26c002f29a068df048b89bd76366e879c7a10dfaed734d17932f8

    SHA512

    e007655f7fe1ef74e390f3e8c61488b837c467de24c5bd2b452c0ae83eab70f5c1fb54c730f14e4a3746f931ebc37852d4d5c50bc722540fb75b5e9b790a398c

  • C:\LabZ36\dobdevec.exe

    Filesize

    2.6MB

    MD5

    b42aceeb7d6026522214786e59f568eb

    SHA1

    119a53f62efdbe60109ec165bdc5cbaa4e1f10fd

    SHA256

    82c2b77061151e3f5388562591a5f1b5f429adfbb897ebe184f36ef36de58549

    SHA512

    94949c4a45c20eaea2c173b6adc340fdc31bedcec3dc915f90eb31ea2bb850f1345592ba93330bb023829cc0a1fc5738070b12b9b62c94b70395b05537d7ed79

  • C:\LabZ36\dobdevec.exe

    Filesize

    1.1MB

    MD5

    f23ada096c7adffd47957ad97468d399

    SHA1

    c50b77a9a9105b8ffe2684eb9748c4aabb789354

    SHA256

    0122af29b48c157ddfeb2daf79d543072119c7368fa0a811c2d35340416fa3f3

    SHA512

    bfa83b3b79ea4baefa4e67423807594b627d0bba13b99ebd51a22408dc1d264b4c20b7bed9acb7ac1acac32e5d16b2403195e7422a4222128a7605485ad410a0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    208B

    MD5

    75e17df605a4bc141e54df12e60868b2

    SHA1

    232fa44e3890b2f0df87f200ae265ce725cd46dd

    SHA256

    6443b15bf2d29e46fb5a6c52849617558e90d67ba048b6232d7927caa2dabbd3

    SHA512

    74189d2fd1e3737c1bf396efc28a86cef76faab9ad675fe97820e122f062a3742e7863113efb684c3ab690e02ccb40b6c2dffade4c28c95753e3f6ae8c961ac0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    176B

    MD5

    e90df232ec7d919d78029857aca3d7db

    SHA1

    7b9b5d60c8e33ed2cd164ddc4d358c6c2f0d8dc4

    SHA256

    23410bcbb8999043cf573d56f9c415ea408cc347835db57c45db417d7e9d4ad9

    SHA512

    f253f2bd85c49504700e81e0a08f015e4529dcfe8c8c32fe36b0141e87d8b3b281ef1b4f2b3a8f70150d7b1d8307e0fae0e1a3ca59913f409da9750611786599

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    2.6MB

    MD5

    88c42fbd28eed6898c86e0a12489155d

    SHA1

    13569bd81d69f3a43c31bbd8fc2ab050984dce4f

    SHA256

    1eaba797348d4b58df309de541a06cd2a7396ef95a0d32961976f469936b3c04

    SHA512

    52e53bcecefdb7dd8d84528598c2174d18e0bf9dfb9218b42d52d801d761c4ce1c4cbec682955e96c039ae457cee8b497025e0fff45d6e301331c10fbd4b5713