Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 02:31

General

  • Target

    9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    9b5ded4287c5c3872386297e9a2a1420

  • SHA1

    1a6924adc275cac1e50417d6d3b876b29e2fc866

  • SHA256

    bd869aedb7e9de4461effd656c188a7dc4798fa614defba50ccc789d5608127c

  • SHA512

    2c186d4b5d706772be8bbc98fe4c70114e35d6958ceff6cb1917ddb2824d44672ef00bb793300e07c37299f1e5c7ac7bfba1057dcbadabb1ac133517623e5f4f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpqbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2124
    • C:\SysDrv2D\devbodec.exe
      C:\SysDrv2D\devbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3400
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4052,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=3060 /prefetch:8
    1⤵
      PID:1428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MintSH\bodasys.exe

      Filesize

      18KB

      MD5

      f3611b180f53e7b766446f16c0eb47e8

      SHA1

      b0a5575b4fca6d2ca1ebf68f998124b33189a5e8

      SHA256

      da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f

      SHA512

      80c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1

    • C:\MintSH\bodasys.exe

      Filesize

      27KB

      MD5

      9066f9da2f6e14f558228b695e72cbf2

      SHA1

      91038a2a5cdbee686253b1163db1462b67afdc3e

      SHA256

      afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4

      SHA512

      41a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d

    • C:\SysDrv2D\devbodec.exe

      Filesize

      3.1MB

      MD5

      18a33d1959df79123937bc66e81ef5e4

      SHA1

      020b41320b10ad5fdf08723393565170e2890351

      SHA256

      68bc44551dbc9770db27668f51e09fb7a301aeeb05465c7391ea923076f20cd0

      SHA512

      18c669182300059a5e789b6821615ea0223733ae8a6f91d160e6c9c2ea8befe739ed111367b5107769fd9a5997f42c33d4dc862138c43a2832593fe1853eeccb

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      205B

      MD5

      98bd535f1de846fb93c22c094ba6730a

      SHA1

      d2fc67788c117f4acf823d68a90cfe5fd3346cf7

      SHA256

      8b58ad82ab24c759fed5ecc8f8bc7a573b2cc346834fd5eebdf8d79c123daa3b

      SHA512

      ceb1b21c25a1a8b173f41b4f3e5438c58bfea11248b5371e70bc8973fb741c57d184eae79fd78ea724d86a07009ec3fde1d13473d7252a5e975bdd24ef83c512

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      173B

      MD5

      c250e4056e055915db54ab11b4426ae2

      SHA1

      39356bfc81b9fe5506e1e248f5b3c81ccfdf9c7d

      SHA256

      3c84242275d80542f823545ce115db4387397b1b9fc1cfcdf0331a2e257e670c

      SHA512

      414b2d7ffc879252713aae359afe353bde2ace83d300de0029502a88e0e7f48ae9bba5ca9b5c0880025282f4caad7aae066f42d8009bc197d796ba5eca9e60f3

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

      Filesize

      3.1MB

      MD5

      df25f5acae881c09035d8e180cb06d29

      SHA1

      93242441149929cfb19c40c35ae9046acf8a72ec

      SHA256

      11c5c5470c1eb53501cbff6466b890005f58408214a311353b39070a278ad7d1

      SHA512

      abb6d629d62d7988278f2df58395d417165d3a6470ba93bf7ef329d8d747520b12e0d00d0d473e868f04e9971bff7a6cfac5b50989e34022c07872184d71715e