Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 05:32

General

  • Target

    6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    6253d0cbca1c76cbfbfd859f4facdbc0

  • SHA1

    ab1f3d98c46ff989c78b56a95480d486fdeafacc

  • SHA256

    6535faddfcbc48e4c9dd5b3f46f87d99db166beff30029fc65056356fc3a861e

  • SHA512

    4bb82f501bd3b319e2dec6a0e4138467e7376d17932d4bd9e2a38746d7dc4b7458944ada2a36aa4899b5f32bd50dbff580cba3958d74c7ac2eec84b8f98598c3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2768
    • C:\IntelprocCZ\xdobloc.exe
      C:\IntelprocCZ\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocCZ\xdobloc.exe

    Filesize

    4.0MB

    MD5

    4aeaf0c476cb2235d7e18f3707e8cee7

    SHA1

    b318a5cb221031eecb8667e9845974b1fdbe4960

    SHA256

    79faabf0b8ce11d354454aa7a4725dc7f80830a2f6b6147c3a7755089a2711a1

    SHA512

    13d902eedb2e9a5cd0ef9b78abc9543ee1abbe51705561740964c1a149c2a8029fb77140f803fffc929086ca9e0266ac7346a57764eaa95c05ff3bd65e80cc2f

  • C:\LabZXW\bodaloc.exe

    Filesize

    4.0MB

    MD5

    26a09658d9323463610278130c6b60e0

    SHA1

    4fdf4f543784c28cd846f38cbc7332c437c55216

    SHA256

    b4ded1f01782347f359b122b49bb0c8744c38657fd0dff76929ca7b8581f0c1f

    SHA512

    4970ccf1d82f1444b55e79cbc27ee37d189b141a7280cec05b2bf7afdeeb1cc71bec8485cdfbe979118098c51f6b8c03d5b49cd97227f0f6d08b4f35b8f2733c

  • C:\LabZXW\bodaloc.exe

    Filesize

    29KB

    MD5

    2c368577e9554133d02c83bf54a3ba6e

    SHA1

    49b7a9ae2d4b99497643247e01905888709f9fd5

    SHA256

    a133dd9ff9d9f10e5866c760cdd82f93cc9b63bbc2f61deeca3dfc19530bb3bc

    SHA512

    6738917ab34d25b7951ccba929c783d529abd278da5610a245c6c13691fecc1ae024dff9e6702c16321ec7300ee950a2a7fa1088dce430274f937ce643d834a8

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    d02ea01526212a6cc75d88584d25c7f6

    SHA1

    c86635952237fd0f4bf3301c4101760361f23449

    SHA256

    03b2384a7046697755767b8b9fe688b1bd15d20aeed00a3908128cbcee1bb09e

    SHA512

    dfe0c225d3ac7213375e39352a5ca5dcac65ff4cbfdd33851f3ea3bb9c6e6fcef561357a8a7f53fa51336c4d9d6c4a7b927adf45ac328d24752bac234dafb833

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    d00445955a24ed87e92bb0c62ff84e79

    SHA1

    268f79e0c8f59f4292c83c4dad5ea33bab6f7fbd

    SHA256

    f45d96e5bb539bc4e43b9b8fe0697a355d41a9be0b4771689109af7ac1320529

    SHA512

    4a72df74505c4d869201c95bc1a4462cf28fa51e15aa018c591ab7c05238484fbfa016658e8efc5dc228b13f23b17cd8940fb5b741dc6f838ec35afad831b775

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    4.0MB

    MD5

    5d74880526f72df2668e73d054e04c44

    SHA1

    a026a14400893b621d50bf95e890e8c78e5d0836

    SHA256

    4bf2d516553df066c1a7187aa2c6b4cfcbab64cee3735ea8e189b4cbd0f10019

    SHA512

    b443f89a11a731c9972ee4f43cb7919e472a327915fe8bb89d4fac88f685522765ccf6160925187bc68f08947b2fa66ac0b694ea918cbaf004292cccbe2e7026