Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 03:49

General

  • Target

    5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    5c08244a62b4d0b537912c76aac4c750

  • SHA1

    2043dd2595bb5ade66993ef8950454f842beba16

  • SHA256

    026c597d45d928e26b89bf7931592333194b8771ae0c3fba0c57f1a3add20f3f

  • SHA512

    7a0bc94224f729645904a2c6236ba784276155b0b209e3a3948debfdb299b1890ee20afad997d9e5b825b71be8eb770ae924864645f63da4d393da8d86027d9b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpIb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1540
    • C:\Files97\xoptiloc.exe
      C:\Files97\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files97\xoptiloc.exe

    Filesize

    26KB

    MD5

    df281bfeed20966154202479017c5833

    SHA1

    4bf02ba05985093e394a2a23df43add0038675b9

    SHA256

    5413f4323302e1679a11a57735e607bb6ff9d272be4b1c4c1760047c276d331a

    SHA512

    a99e6ed87160371c89e4227c2f969aede9f83aa0e79fc383e7ec10c798f9bcbda8c8724403693b72590bdd31c583835bb832da6dc5552d02abbd633c705ca590

  • C:\Files97\xoptiloc.exe

    Filesize

    2.6MB

    MD5

    9138a7243c40092ed1843c64e0925d99

    SHA1

    3d199c8a7234750e950f0a8ad05c1cb56c3b2bb1

    SHA256

    15fdb69c12a6910874423bbad389a9017b27f8997e8981d4fe10a5fe288f08df

    SHA512

    eed6557044c431910f83d7bbe8263c914d22a870d41ff26e198f33c501f40f96097cdb860bdbbdb3d458d0bb3724b8aacafe2c311db911fe574c2c4fe1aadbb9

  • C:\MintE7\dobaloc.exe

    Filesize

    458KB

    MD5

    c154fed2ae3c7a19cab82c777f1b2e52

    SHA1

    6e34d7cabc2af9ee235b29ce05c0819d4bd27593

    SHA256

    43b908b5a992193164bf5e4ba7249aa82dca4c898151bdf0edcd154c5d91ddc9

    SHA512

    fdc57705b714084ae2223c208cf0a409ae2e2f6037808869a2dcd4121cfdc204ec9a169d542c2234a3875f7e6d8261de0b5f774f75bcb2ef7addc3b7fd0388ab

  • C:\MintE7\dobaloc.exe

    Filesize

    2.6MB

    MD5

    2b5e1c56a9666a14a1330e7a47ec7e48

    SHA1

    bf34ab7d17ac4425015d54e4e5a9a1434443f44b

    SHA256

    fe0d140ad955b1cf0a97f2fc41de8ec133905956e919b1f950590010e6f1852f

    SHA512

    caf33f86a89e9e3e995fd86965bcfb444653f5559dfc5a477613e3fd9f47bc6f5d32b9b4086239b1b02099c1a6714a83718f04a5656ca2ba18c20d7fd651dc49

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    f35923818eebaa8a99296c8c1782e7dc

    SHA1

    bf6bc089f9cbf12d9ebbb779127bcfb0de04ffd0

    SHA256

    630d9e36d71b9b8d9dc765991eeb57c9fea941e70a1d1bda05ea2b08e87e5e45

    SHA512

    a5282380e2366efbb4ffb41f58b7dfac1e25a36a069be359c157475f1669d6f05700b2ad67507220fdafecd44cce92908ba2108f8bc1de079841aed3bb57407d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    f9558f891c8a1ef7ba064bdee2c43839

    SHA1

    de3618ce5743aa4fcbdaed37598394f4348d76d4

    SHA256

    002f96c97042ebcc8f477720f87b61bf51b2d271cdb9ad6e1d504e18753c819b

    SHA512

    a401c947f6f8a14aab261fa08a5d9cf9ed0f3fac9f916a973bec62aa7e27dec43d984df257f4b7351641a0e001c683e59267ed8fdb51de0e8dad403801897f7c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    2.6MB

    MD5

    b822fb89aed1bfa6e460b0409d15dfb8

    SHA1

    a4754e5706a83698383e4e841303f8a2bd660e02

    SHA256

    a90e9847977228d0fbb268bd6ec74222f6108293ba0615b3842487dacd4d30d4

    SHA512

    c19b40aa9c5942bf7a7cf6a27c7f2d2c4001a4c23d6a615a836c04dea1dcba5330bbf346bc0f222e58d0e554920976f9527e2e79d92fc0c77c50c6c29fb7cb00