Analysis

  • max time kernel
    150s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 05:30

General

  • Target

    624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    624002f183a1ecc2a19fb2a9e53e8a30

  • SHA1

    caf05969f44c5b205f1930eeb587855b0bd89004

  • SHA256

    82b1f1d0604e41e8d91dfcbfcb6e1369f8db744e30965909725e0bf3e0dd860f

  • SHA512

    55634343938e58dedf87e5a14dd35af129eba8b5267c3ab64dad62e1f9bc4c823e77cab5fa8b9688b16303bd5d5a98e2d61713b078305c3e0f519ae1ab83157c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNX:sxX7QnxrloE5dpUpjbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4660
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3724
    • C:\SysDrvNO\aoptiloc.exe
      C:\SysDrvNO\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvNO\aoptiloc.exe

    Filesize

    3.0MB

    MD5

    0064d9a4619ad25b1febcbcdf19e1838

    SHA1

    49aa73acd49aa13633aedb710dcd8ba57be6cb7d

    SHA256

    84749965b09850ccaecd687850d6a5cc62011b5cf30784fc3e92e847cc3d6494

    SHA512

    67ecdcd6e1e29d655616400866ae32d285f7b039dbfb5cf294bdc7f57df06901a85aa21cade53100e30c114c846de89d40bc65c0af4a095fafe7c49899b3a8ca

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    2b531141d587ea181e69aed094433648

    SHA1

    328f0950911a272226832acbb268e4594d7ee7df

    SHA256

    00132e82ae70276c29a46cdf852355301690b80a0cd534ecbd95b9c783fa0a3f

    SHA512

    1b4fae9e3f34684ebcf3309cf764c4702b5d8cf02eb04a4a46da5a0fd7f257d7e13085380ad51a3a9eeeb106bef16b470dc96f90938bed4da4d93c9805a1de5e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    8be621378466ca9582fb9ac8b0a0b95f

    SHA1

    58a15f103f665783fba4d6e5892874c1abfd5c3b

    SHA256

    4bdfae454d5145a33a392e90a902d740ff5cff89acffc48ff6858c3f3bf327cc

    SHA512

    4eacbfbc97123c976743bd3b3bcb630ae010d2fb6fe56847d2a371866661f77ef653360cb3f642310a7f440c9dd967ec5b58ddf5f2f8ca03dfab6786606340d3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    3.0MB

    MD5

    2473a29f22664f791ae367d861736c1a

    SHA1

    b96b57c36ff350df06bd385915c9c14ed00ec661

    SHA256

    9581f52b7ca918791f7d3fe656eb076f12ee9c917d30088916ae38171e857c94

    SHA512

    c79b083fec3c568f234e996552179efbe133f77f8d09e8a4969d95b72fefb9911e8bd7665b68b01bd3575285f22202aa56a150749da4ab7b350a9a1a8510a5ff

  • C:\VidD3\dobdevec.exe

    Filesize

    465KB

    MD5

    004b074e1a7776f70cdcc1ddd69fceb0

    SHA1

    5e214e369cf792eb88ff77fcf984dadffb7afe1d

    SHA256

    78ba7c04bbb49c1d45ebd33f485eef4000e543b92db6cb95ed03b4053bc909e0

    SHA512

    de7e902931121bc2e612c77f79453d7e4b92975119c2266423001b4633530a5e290ecd073298deeb354e3946c508b7bf8807909998ebea8bc83cff6be3f9361b

  • C:\VidD3\dobdevec.exe

    Filesize

    3.0MB

    MD5

    1e5182e6feb4303fc958bd172534882a

    SHA1

    d1c159cb32ec61fe59912cc29d74bdad3009c99a

    SHA256

    2a0409b99799f1de5088fb7d43363a629f9ce287040c299a4327676a4e35d1d8

    SHA512

    14529ce95001861b60f81ed5a6c16a23979f139b85ebbc87b01e9497303c4991b764a99e41d5abf63bb3761b0b28044dd30c8e50aaa966ffd1539f00a0577820