Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 02:50

General

  • Target

    9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe

  • Size

    3.9MB

  • MD5

    9c94d2158b84017be2fb17e922438f00

  • SHA1

    d4b37f9c17a69394712693d0670f0e032934e586

  • SHA256

    e52e7cd649dbef5ad74239028339c5eac006bf258e5b7c98116f91647775cf47

  • SHA512

    1293474b21142c41ba0da775b6542ded776150865de9f2362700c567d7f6e18566adad0c9283bebabcd5425d25db9f898c199de7cf342bbc857c512d7f934ee0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUp6bVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2176
    • C:\SysDrvBW\aoptiloc.exe
      C:\SysDrvBW\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxDZ\dobaloc.exe

    Filesize

    47KB

    MD5

    703298e1938b94b8a048722589106182

    SHA1

    76cf69965dbd2c3eac9313fdd3019ef346fbd507

    SHA256

    6eb1a87af8ac5230a217aacd34de88c59e06268b719fc264c44e62dfa12e7709

    SHA512

    3516ce6ea8807a3fb6c010e95d8450210cb156137ce1b2c7eabc8864fd53cdf8eb31a79323092e9a8ee41dc76c1f14b645b91fb0be2ee13197dbbd875e68fc09

  • C:\GalaxDZ\dobaloc.exe

    Filesize

    3.9MB

    MD5

    4cc505d5267734706c8a00b1837addf1

    SHA1

    e3a402b9bf725ab36864bc26886f02158bfbf2ab

    SHA256

    4b39b0288cd06bf2538857292ba11bc7eb2165eec502c4bd000c71d94a899553

    SHA512

    2c97a11bd11950fee4f1729735e5efc8c38d2e8bc3759f635f45c1868457a0d0156d7b446e549b666d864630e6cdc3ef7646e8bae1fc4154b39eff0b68dd055c

  • C:\SysDrvBW\aoptiloc.exe

    Filesize

    36KB

    MD5

    60ffdb7bd6d8ee8074e418c59c385250

    SHA1

    268a825e21da75c33d58509badbc738dd110aa45

    SHA256

    203648e76d5b17b83f0677ec38a7a654d8da498025103a58f89a152f49dac705

    SHA512

    e17ff3075e6116357ced81950349739309dead39db867a864b62e47adb0dfa9f265c88771023a4060eef235fb8de443e49ca3ad35a7e7b2c75a0f597d39b4c47

  • C:\SysDrvBW\aoptiloc.exe

    Filesize

    3.9MB

    MD5

    abd124627cd5d02573196216d844ab71

    SHA1

    58bb002cb551f08ec92c1346c6c84941af156766

    SHA256

    77c5270fe5158f2619f172c404afa42dce400cd30ff1b71696d56e47fcf5f699

    SHA512

    71fd953523d975d4f4d377d284d027195727e39a73526d9f5a134607a0317aac1cd47a63f9bd1ab378ad82b972f0419397f7fb60d18ae2123f718fd0b381e29f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    91df04342a9453323d655acec3b7602f

    SHA1

    31fcb6710c364adc186c071f8f3cb77fa5b9b367

    SHA256

    69d309657f5ece3548acd8ede48b34eaaf89f86a5ee84f654f87d61751e2dc68

    SHA512

    fc65d85988a8eccfed0b4fa170c5f43af11a034fdc48a35f06461dc4bc93e24d2505d95f9653f0f2c842065ee8871fe46eff935483ddfdb38c3a7b679f2affe1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    10cd8056eb8ea73fe81e269d03ebb1ee

    SHA1

    c0af50510c6941f76a2f450b16ac10b41230e027

    SHA256

    a3a147a05eb11910596cf21749485873623306fc7fdec3a8e5256689c45f4a8b

    SHA512

    2e416b234eafcce57fdbeb5635cb9fe7baae1769d58b918e773df983ada9a846933ccd39e925641515be0305bb1b69bbfe638373622069f4aac474603bc635db

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    3.9MB

    MD5

    a0515509f77f09428133b97605cad3b6

    SHA1

    cf3f77fd0247fcfa5dcb8947829e12104389ef4a

    SHA256

    553ad992338e278300c075edab8074643f399009e16b73b1e0e5c322732f4630

    SHA512

    0113c6d321d629ff141936db821cb0c8bf666629e5b524e97dd6a1e7a0913b876a666aa1bbd737d7ac80de199747a980f6e3a9efb94dfc89f44598220bb97c73