Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 03:46

General

  • Target

    5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    5bda9bcf5c906737b67fc3e01fc374e0

  • SHA1

    12075b48fe688594ca8134fa2803edea71ecc1cf

  • SHA256

    39825b96cabf19ac29ee9dc3ad9d49c9daed4e176e2eeff742aafab63e619c4b

  • SHA512

    fbb9753e426194baa5d8de5d4d44973a6beefc691e9b1bba586d43ad703fddfaae9fe76a5070d8ce794c1614c4f7fbd139e92b76de0c169694e73f188313cbef

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8:sxX7QnxrloE5dpUpebVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2332
    • C:\IntelprocZK\devoptiec.exe
      C:\IntelprocZK\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocZK\devoptiec.exe

    Filesize

    3.1MB

    MD5

    8825de33be877a749bebf86b8cf46dc1

    SHA1

    d108fc9bdbd992a8a9c6576e23fb53191c0a616e

    SHA256

    a7e67e0b665a0f8067042bcf876666adccb0ee050b1dfde7fcc417e19c312a24

    SHA512

    61306cbf772dadb2be74adf4a23ee5715bbfb6742e5b3081c114bc3133aa4d5c6ac083cf117d9f4c5049786aa793ae1d6300dc2f0864d77632a4cc1401564264

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    f7ce3250933ed073d68c5e2a19e28b9b

    SHA1

    26e3515bb4ceeda73add95e32c9205d871321810

    SHA256

    f2a2b1a05acc7cd3644d6f13eb6fe821c809de144117cfd72043564c4b2b8da8

    SHA512

    1f5802a19932087d870a964d84b982113fb42c5101cbbe0568f6f3dafe7e3d88db93fd11d8e0c1e72d2042f3eaa1fe6fa56e74e986919b0607f155abdc317bfd

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    67670630dcda00e77b5681e3d5165c01

    SHA1

    f38df4a2cc4d266361b2f84b66700551a2c83a18

    SHA256

    74a5c51b6ca7db87d7301a3a1dc0d010ade38149d9303a714828019e41cf6ee7

    SHA512

    ccb49988c7b8cf9503ff0eae107b9c5c47245e66c81de6f6029129a918be76d4dd9e63af694434da7fc922834182485af19d70d0ca29c40fbf72d8fb4c430f16

  • C:\VidOK\dobxec.exe

    Filesize

    1.4MB

    MD5

    1846af9e8b55558541978d7c56478edb

    SHA1

    547f27f580ed217db608fc58faecb1dcb3b7543b

    SHA256

    7c6db1f5dd41aba0b5ee24e4372b0e3cf316d0b24b7ccdf6d15f3d773aa5b4dd

    SHA512

    863a883ee684a9eca2ce85aa2a2cdeae7c5dbaad9776f5795f2cdc6cba19fbd24e571c2981520079bd260f48dcffc8b1f42a9d9f65c2582894b1d60f6e94df9b

  • C:\VidOK\dobxec.exe

    Filesize

    3.1MB

    MD5

    437ec0232edc86e6534546391a85e206

    SHA1

    dfa0b9325f08ab87efa8318e1a6f123918462b3b

    SHA256

    7d1599ca2f7b0630e1f0532ccf39cb18ec2eb240997ad8dd4c4cece57cf7bc37

    SHA512

    5d34598d348b079c41f14511a6be71331707917c346fe3cb1ae8e9bf4735b28eb8eb6265965e66f9d8474d15075221cb889b3104562cd7ff6098a33793c00371

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    3.1MB

    MD5

    aaee34b1aa08e4048c6f1c40eff55dd5

    SHA1

    74b4cdd869abaf7578bb6f5b4a54a224cc3ed973

    SHA256

    3c4b06f3247708f7a43a477e9db142a0fe34879747d746dc32cab30b7a3dfc97

    SHA512

    13b815e640f52518175e8ab8cbfc147d04eaebc432116d4d6c894521465881583dfda556438eaccf1f1cb368faf8e6e4ec744d4f57bb7990fe78cf95653038df