Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 04:28

General

  • Target

    5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    5e7e5d3c8a80fe057652c13e56c93a50

  • SHA1

    fe47b778a672a59b06f7ce51e46c9a0bad9f2ed2

  • SHA256

    9be5b7b524ff18cf38173c94293f03877f927eef6a0667eb73694d041a32bcf6

  • SHA512

    f352480b65cc7bc075e9f1542084f49ecf8a070c0ce4a11ab1786473dfb9058d81ab62834a5023a7e5f63cbe744fb9edd8a8cb814fc9667de7d1e2ffbad8584b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3020
    • C:\Files7F\aoptiloc.exe
      C:\Files7F\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files7F\aoptiloc.exe

    Filesize

    3.2MB

    MD5

    6fc8cd47a3e8a1699d03dd51e7fdd4c2

    SHA1

    93630aba3d698c8637cb97a88de449622fa0c39f

    SHA256

    bed36c75f455fb5c4c5aad376bd76b97574cd50a0b03d78e720d4c40bf15d934

    SHA512

    ee812162a26984ebf745ba91a6710eb3b7bb51d0789e9c0eae44eeda1923ec1de561ed61d3888f1ad4b598c4a22cbf0fa1593fdd5d6aace742a007d0570dbdc7

  • C:\LabZWP\dobdevloc.exe

    Filesize

    3.2MB

    MD5

    5c7cf27bc3b44e30685de7b71ab52397

    SHA1

    9a83be6d15eb6ae10f7660f8e5265fe4e7acf694

    SHA256

    7484a101190b1fceecfb9239970553749da2e768ff3343b866a84c5f36268268

    SHA512

    6139de0bc101b676a2573fff4683e4884179dab1b4f3fddfdc8efbb709df0174e3fc6f7c757094a530d2cbbccda5b9003dea15a1e2a6d43c578b3a93ef326c51

  • C:\LabZWP\dobdevloc.exe

    Filesize

    3.2MB

    MD5

    b3b7c323c5b11df7d0f41b45264f01ac

    SHA1

    4a24cabead58e8527c3a2a67b74d4a0662119e4c

    SHA256

    f07205beaa14d527d3941ea8cda840637e5e61b99f80f286745b18e13b9ca1ff

    SHA512

    301e2ba6ff2d1f3366a06a9dd8aecfccda334b46ca2062fe8ac1fe0b4aa163d70e2d02a0c0e7b0aef27f4193c638d2ac7141a04361f41e239344ada50842b9b4

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    1137aff61d3e35640787d47fc3dd3f45

    SHA1

    fce1559eda37f49d9c4d399cd2dd030826864545

    SHA256

    e92c3998425357c2a5ae3434350c36aeb3f27307657c4fadc13b2f935e58ee8b

    SHA512

    a35b9bfc15f6e7794b29c84f1a78f6bb1b18ea1114b577302c322a091e16e61fecf0ebfd6310872ad31bc501e492ddd1a051b0f1fbe59d0a44da162ebb380f79

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    6f886862188a350a00ad2f6efba62573

    SHA1

    d453b1736e323936c824193eaf91e13626f0e2ee

    SHA256

    b470a8a86d27ed907240eee705f04686bf504a5fa2ad03557d205ee9616317ff

    SHA512

    fbc29f9e42d3084e2e7a3fcb27e72307c6fa66daa1e1d96832d799eaee616304fcbefeafe0f04568c908e96a4c6f4be2f7bb213854c29f14ae0cbe095fb8533b

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    3.2MB

    MD5

    b5e100cf2a6b6381aeea3ac9fb8fd7cd

    SHA1

    6024cdc56ba5c73999c7637a32717a26c2957a7f

    SHA256

    1a66d894f9d97c6ab25b66b247c8777cbd240fa8c42b202ba412715cf900452b

    SHA512

    8246c92ef0dd117c6d40cc0bafbc8fa9be784d783928f6e7e4f48c666ea95310d0b615db28e6040706a40fae0abed087c7a3786c6a4db6ce0a169e26761342ff