Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 05:32

General

  • Target

    6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    6253d0cbca1c76cbfbfd859f4facdbc0

  • SHA1

    ab1f3d98c46ff989c78b56a95480d486fdeafacc

  • SHA256

    6535faddfcbc48e4c9dd5b3f46f87d99db166beff30029fc65056356fc3a861e

  • SHA512

    4bb82f501bd3b319e2dec6a0e4138467e7376d17932d4bd9e2a38746d7dc4b7458944ada2a36aa4899b5f32bd50dbff580cba3958d74c7ac2eec84b8f98598c3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3672
    • C:\FilesXV\abodec.exe
      C:\FilesXV\abodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4528
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
    1⤵
      PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\FilesXV\abodec.exe

      Filesize

      206KB

      MD5

      b64fc83b413933e0a7e5a6f25583ba0b

      SHA1

      8ec82f21d69244979bb5da65c21f8034ea777182

      SHA256

      779dc28bfc18d61fda4587a3bf40a75f63cc3eb21a19b18dc93f5a2aadbb521e

      SHA512

      14c3e0d3efbe9e42ada236b0b7668ba78304eaba741bd7aff346a3894f888c5d57d4d625909d3124d609911bd53f08267aa144ce71bb5b5dd8c82124f82c0acf

    • C:\FilesXV\abodec.exe

      Filesize

      4.0MB

      MD5

      74bb446560435761135be706d42de917

      SHA1

      c220e761608fa4e8409d9c9e4144bd7a35cda736

      SHA256

      b0308ffb362db01cdd56289f13152bbf7036caf9bd983ef1e29ec5ef12fde0a5

      SHA512

      2adf14198c3cb97700b1e1674b0788119a86ca09ea1d3b4f061486956be92d9740353a05fe865e190e410ad8d8db3a7edec83a18e3fb0931611aa3eae099f97d

    • C:\KaVBML\dobasys.exe

      Filesize

      37KB

      MD5

      ae8be8e2b1dab8adcb836a33cf6b9a61

      SHA1

      515818c5f9405956f70943bb72ba90e9ba78e9be

      SHA256

      3f6a2116dae8cf70a291b708d7a433a4131aa97d54aa90c7e7c7a772133beee2

      SHA512

      27e40b2e46154b9c2897e8399b1af317f88ca2e3ef7054a9448c2abdbf7f18785b448b4aee832cd94706b44c9e30fd97a6d1f85cb28c11b70a3e38f9b4c37676

    • C:\KaVBML\dobasys.exe

      Filesize

      5KB

      MD5

      b1bff5461f6eccee15bc13b90b862c37

      SHA1

      9b68b3e8bd60c2c4b00d1ff961e9c20b00350466

      SHA256

      31ee37ebd445cdf1397bb80f305ea15a1b3d12fced2d3dd773fe436cbaaf9498

      SHA512

      fc655a29154ddbd88a87bbe6eff59a7e0654e6306682a7ea2f70c240b99f1e7026089df3a2803df3ec6f1a12c75d0ea1438ffc856440b95121dbfdcbc15800b0

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      199B

      MD5

      d542df43cc1e2dafde02c86e891a4fd7

      SHA1

      d1292fb158fec234d1439f7675524578c45b799f

      SHA256

      1a07183992ac770928ba9b782f2c20479ef34278acf767c84d4a6fd970456286

      SHA512

      b38acd8c8cfd3d1d997e6e887bb73ff31042b4c55d694c05b874f3adaa1f7fa66d47f17e9caa7905fb32fcecf0f5cca9f7add5775ef22a3b620dd844f9011c8b

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      167B

      MD5

      d16042f7cbae4024d74a9feba2b22933

      SHA1

      5c91eb6794d17a51260100ecee35dea8de70b86b

      SHA256

      5c6cc609ff6d28bab828bb2543d139d537694406318fbdfd0e7b5c94b6672295

      SHA512

      23abb25de1fd3189c424e5f2e946b3fdc884335f6a927fe1ad9446468cd9aa7f618be28566181e779c280d430ae1b82de29c017254c9b6078418640c8ef886a1

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

      Filesize

      4.0MB

      MD5

      8b286c43a47f133cf388deaa3e6b09c6

      SHA1

      2bca0f2d31297698a82293b21b6aabe7fa2809f8

      SHA256

      cf51762f621a7881969fa88c73a559a5171d150b39a3b3dbbc8ae348c84a317e

      SHA512

      a6427a6cbbacc0f286c42b6dd0311525437778094f0121bd93308d1ec59831aa99091f2aecccf97630343925d38ccbbcaad53bbe8803a9300f47c3e6b5fb3df1