Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 05:30

General

  • Target

    624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    624002f183a1ecc2a19fb2a9e53e8a30

  • SHA1

    caf05969f44c5b205f1930eeb587855b0bd89004

  • SHA256

    82b1f1d0604e41e8d91dfcbfcb6e1369f8db744e30965909725e0bf3e0dd860f

  • SHA512

    55634343938e58dedf87e5a14dd35af129eba8b5267c3ab64dad62e1f9bc4c823e77cab5fa8b9688b16303bd5d5a98e2d61713b078305c3e0f519ae1ab83157c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNX:sxX7QnxrloE5dpUpjbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2712
    • C:\AdobeYN\aoptiloc.exe
      C:\AdobeYN\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeYN\aoptiloc.exe

    Filesize

    3.0MB

    MD5

    f39a8211c5ea5f89c967770efddf01d9

    SHA1

    f7824f7c819a817b5422bd3ef1f2935586ac2eb8

    SHA256

    97475b544361041736c942c47af1cda4c70cce0bb40a6ae093d53240c226d3b3

    SHA512

    24f31f4c2ba90c2117381dbfdac818e519676344a7f3470289d34f0ed3f56f8c095309a5170996f9fdc10f581b02ea1184a627313757aaadcde2be0b4a33b68a

  • C:\MintKG\boddevloc.exe

    Filesize

    3.0MB

    MD5

    5cb31c43b5aa7df4d46d676da0d66b0f

    SHA1

    097d69b837a89f4163162d96fa03c12cd1fa8859

    SHA256

    1bf58243270101e8546f60162e9dfa1d2e69d3d46ab0398df2304967405616c8

    SHA512

    d82248fe4fc1d6c0a843eeb7e20bc4828f3141928c64c088210010594c95eaa3c4b8ed923afdb6d3927c2e35c6e69f45b8c187c9168f45ad6c4c0e4794bfbefb

  • C:\MintKG\boddevloc.exe

    Filesize

    15KB

    MD5

    baebd565738a73b1785d23f85b9b1880

    SHA1

    3e776227196d9cbee3a9edf120876f20e6af105e

    SHA256

    d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7

    SHA512

    3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    b7a6fb4d87619ee60f2c258d621076da

    SHA1

    d248a2f9dbb505cd32526712839217197ff37f6d

    SHA256

    fa6e4c3ab616d5c62eb9b4287e013b913ac7df9c98b2ec3a5f8afd6c7cfbc5c6

    SHA512

    fba89216b0ddd8f87242a26eb8c00bec7ba808db23a45047cbb38a0fa75f8fe080a9411beddbb9d65416d420aec3e04dce7aa742a2776cdd3736a689ef6c9c2a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    dd4a1a2aed04f2c6bd6670302b6752e4

    SHA1

    ca7555259420333e431b34ef1a1e4a68a4f0b8f7

    SHA256

    ec38c4b61645319a4e45f05ef1964c5bfddfac58bf86f3008698c2dbe3f08859

    SHA512

    23fe476b7717fe4dd4e566434de3292b214a2b18f49c62114950baadb77769a6f6ea671e45f1d1e6fa747dcca8a00cb1642b527d82ccbc36767e1b3b29380977

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

    Filesize

    3.0MB

    MD5

    564579c1c38e1e3d1d0019da3193ba5b

    SHA1

    59e25455dbd9b8a601a8e8e90c0b3a1e9cfb9092

    SHA256

    96819cea4c71cd139321c7a306d7826e92af433ea936818051829911dc49829b

    SHA512

    155443a5fa0b78bdf64bb0894f04b15ee06bb2466b02d8b0b64c9ed2a2c38d984a8778ddf81c086b0e657b3787035ff9c4256911193c702eeb993b2e092c79ba