Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 04:28

General

  • Target

    5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    5e7e5d3c8a80fe057652c13e56c93a50

  • SHA1

    fe47b778a672a59b06f7ce51e46c9a0bad9f2ed2

  • SHA256

    9be5b7b524ff18cf38173c94293f03877f927eef6a0667eb73694d041a32bcf6

  • SHA512

    f352480b65cc7bc075e9f1542084f49ecf8a070c0ce4a11ab1786473dfb9058d81ab62834a5023a7e5f63cbe744fb9edd8a8cb814fc9667de7d1e2ffbad8584b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:756
    • C:\UserDot1M\adobsys.exe
      C:\UserDot1M\adobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5056
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8
    1⤵
      PID:3408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\UserDot1M\adobsys.exe

      Filesize

      3.2MB

      MD5

      fa61a177e805a66b3ad79bafe5a32972

      SHA1

      0b4cfb481372267a29dbbbdd660f5f3476b9fe01

      SHA256

      672e6867fe2287b9c123a1ff02a90b719e60a13779588f1202241bbd021180fa

      SHA512

      0fd2b891368e67198ab800d6ed6cdcd5510ab9b6dccb2c5aa1087c7cad621225f5bcbb0a543b17d59f46e64356cd836e51bce809494059389d324c5c02372e16

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      200B

      MD5

      a1d7d4bbacedcd6bdf7497ade07136e6

      SHA1

      13dc0b6042cc1dea189c3def474e0c225cdab8fb

      SHA256

      1db3b6d05d1c486a3eec5842b1afb629cc45f734c935aaaffbf1bd2730c67099

      SHA512

      b6f967cf24a3beb39481c61d15c53870a7ace853cb4553151d2fd431c5ffe02a27950aeab282d75479a50dca61633e0ee67c5e13e3e53f3c2c6df906d68052cd

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      168B

      MD5

      c7d4d41514c77691db22bc611aa8e863

      SHA1

      cbbb53f1b51a85b2b37770db2b611d7934af4ba1

      SHA256

      bf757f6977bf5529397bee3b0fa3dba04ceb1ae318f7dd5540c8908af2a50946

      SHA512

      0c164424d15401bc360a6ef6e906bd310bd64c424bf268961187e76ee2bc435282fea2edad2064afab2ffb27168da4c510694b025eec7afd23e7460fc67dd4c5

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

      Filesize

      3.2MB

      MD5

      e80dfb765c0ad6f0385f8c27f88fb3fd

      SHA1

      bb99f9fefcfbe3cf1a36d5e9931061379b6e8614

      SHA256

      9f03400ec7170e86437d8d0794c621a48821dfb80f82d9feb7dfe7117882a3b2

      SHA512

      b3eabd3433844d3bc1ff3e16333b46309895360faff3679e035efd0d9cffa137d98e7ee732d910df07528a902c131c5af387071a68a793330ff0978a367cf1f5

    • C:\VidMV\dobasys.exe

      Filesize

      3.2MB

      MD5

      53197a8d3490b8c21235caedd971b3c0

      SHA1

      817a8ed047707adf5f8ff923d509f08858be1f64

      SHA256

      810c33748adff45f4669f637afbbc08a466a9ba1fcbb37ebb3c1e204013bf25c

      SHA512

      d5a6e790bcbf8471bbd9af0afb05f858b2fed5567f006977149ba3bd7dd2f923a78acbbed64cbb3906548551e74f7bb9fb7ef83d333a1c9520738fde151619aa

    • C:\VidMV\dobasys.exe

      Filesize

      3.2MB

      MD5

      2911d6dd5d038ecb8f9725f612ffc037

      SHA1

      1b1fea74266386bd0e39aa57f50e659e7e8b8d5f

      SHA256

      a1483f07918722b581218fd86efc4bca02558b2b7dd2b5ff36bfb8123cbf5e43

      SHA512

      3bb3a3777720714faa19a69c05ca021ae867b883624a508f2bf8618b50f23fab24e2f6d28d63ce231215cafd924af9f9cc88ccfdcb86b2ad63c2727077d28d94