Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 02:31

General

  • Target

    9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    9b5ded4287c5c3872386297e9a2a1420

  • SHA1

    1a6924adc275cac1e50417d6d3b876b29e2fc866

  • SHA256

    bd869aedb7e9de4461effd656c188a7dc4798fa614defba50ccc789d5608127c

  • SHA512

    2c186d4b5d706772be8bbc98fe4c70114e35d6958ceff6cb1917ddb2824d44672ef00bb793300e07c37299f1e5c7ac7bfba1057dcbadabb1ac133517623e5f4f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpqbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1820
    • C:\UserDotY6\xoptisys.exe
      C:\UserDotY6\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintJI\bodxec.exe

    Filesize

    3.1MB

    MD5

    1e57e4b30b25046b236b86afca77648b

    SHA1

    5970d30d8b881531e48e88397959d3df7cf8f0f4

    SHA256

    785a594aa87e0337c8722ce57d260ab3567cb34ca7b4fdb3849aad08155405e9

    SHA512

    670fd59d30b5a6db9bcd1dbbbf3b5e107d02a3bef907c62b6aebfbe47950d18452e5be7c86d9672ec843fec9681f98eae9cde1cc6986408ec4fdcb0c0feb8b43

  • C:\MintJI\bodxec.exe

    Filesize

    3.1MB

    MD5

    fb7a150c50ec2d20c4eae7c518fbe467

    SHA1

    7e66d24e459eff0bf0d50bbb8fc3be2f8d758ff4

    SHA256

    a08c2fe9853f0a9df095eddd4d232d1383acbe26ca382f5853820f7cbfc16bb9

    SHA512

    44c4c1cbbbd66fe3e9bfd9a96c772e645e49606b0940b880c5aa171f86a98e2b02edf046e2e246a6ddfb539475d06d701aef2abaa93e83e8a84659c67bed8617

  • C:\UserDotY6\xoptisys.exe

    Filesize

    3.1MB

    MD5

    a3306105d262041a4cd72d6341b178fe

    SHA1

    b778eb61601eb4229886b43c1cd1f453b1877b5f

    SHA256

    861f9f2ae2b7c459ce9f76c8646f4bd0bb48308e0378a3c9a6fa00d2b6360e10

    SHA512

    31b7d591a1290551daaf67e9a3889100dbae02d2eaf8839bd455fca9da2876e80bacdf8b1093b561c3b403f77edf8cf78f0e80053256e2dc3c07f6807762cb22

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    6b861a82c597526552e4c0f9acd66057

    SHA1

    1a6f412a0661432d77c8f2c904249a1148b673b0

    SHA256

    017f24a6d5624b824d70d0e0854690668734cb16bc310a898a04cc4b9dba5855

    SHA512

    cd5c294477bbbf7eeb05d762cba6fc1701b842f34b9acc4fe84a963c9f2650438f24e4728179bb979f964323cc6d99496962ddafa2ace23ed1d9f129b9564779

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    48d3a91171f377f1bdf5e91e760735e2

    SHA1

    6853e464b983f0f80521c901cf074bf2c3b3af83

    SHA256

    3244e6f99f33852ca26c1376ad58b9877e1b9db7fb0b8dec3767767fe475d349

    SHA512

    c3c2d9a0125b5b64626313571d0cf1936b8afb778e95438de7a55bd885b5fec74acc64e08c1e3af5fbd550bce77683ad4bc74190acee5320651091c88abfa299

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    3.1MB

    MD5

    cc7d016da0e8855191cde5f6a23d0e02

    SHA1

    d51417eb6140a6edbec644360353827587d880cc

    SHA256

    b12af2fd4479b2d5833194b25e6353b0a8925f648509ce64b85305c85764ac03

    SHA512

    1e0116bd5cde7b014ad98a4f64ae5eae546998c15b579a06e137a8cd4c92b8f61fc6406f9cf11d076fcf96e05329ad8a924ac25a8d6c11bdd85970927b09e53c