Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 02:50

General

  • Target

    9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe

  • Size

    3.9MB

  • MD5

    9c94d2158b84017be2fb17e922438f00

  • SHA1

    d4b37f9c17a69394712693d0670f0e032934e586

  • SHA256

    e52e7cd649dbef5ad74239028339c5eac006bf258e5b7c98116f91647775cf47

  • SHA512

    1293474b21142c41ba0da775b6542ded776150865de9f2362700c567d7f6e18566adad0c9283bebabcd5425d25db9f898c199de7cf342bbc857c512d7f934ee0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUp6bVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1720
    • C:\SysDrvV3\aoptiloc.exe
      C:\SysDrvV3\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBDG\optixsys.exe

    Filesize

    3.9MB

    MD5

    e563fbee63adad226010ba89493b5bbe

    SHA1

    a3faeaa8190dec160fd82e91c3883bf979353ca5

    SHA256

    93430767cb027e371f4358a978748286bcd5ec9bd0c619e2e5f48cf23d1a057d

    SHA512

    3c282696d64d3cd988e7265f83e28f4340425f4b17a4854d2ac8f93549f850b0cb1b144083ae0dd11440730b2db79b574ec2c7df99b43412dc69d62a82a442e2

  • C:\KaVBDG\optixsys.exe

    Filesize

    8KB

    MD5

    1c31992317278cbfbb062cd4732b9020

    SHA1

    b2953bc21d0bbd03b25aba4e7b3d56cc63708195

    SHA256

    0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0

    SHA512

    a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb

  • C:\SysDrvV3\aoptiloc.exe

    Filesize

    3.9MB

    MD5

    238af395720b858e0d3beac7ac927f8a

    SHA1

    c78937b6b24b0ff86ec59935a8443d8368049781

    SHA256

    7694ef2267b7ea820f81618e1ae564d15c5a9ffc86d0b2adf30c129f48a8e660

    SHA512

    93af77c7aabec762a2922fa920306fc7007b9c58bc305332fa6d793bf27e95a6a6655833086044d6ed6b959b3c70b7076ea526d35c110657afcb5d91b55b5d66

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    a0de8f298961e37f8a59dd3cbad26f14

    SHA1

    b2795adab5b52fe5f47cdb21ae0d3d7b561d14c7

    SHA256

    790ec155540535f018d97f8727f1b07e5e6e3aabb9d1b03b05bcf430ae4c01d9

    SHA512

    c79f151b48d2ad4dc6dde8a25cadd46d3d251ca9bc8aa798f35efa6c9fa114fd6ae221aa2072623d7e67bd8b9b29b7ab4e4561ecac3261ef3b0f77d79fda63a3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    a4039924f68e6084da3ef8348830269f

    SHA1

    877425c97129ee4213fbd91405b705f5add6bfc3

    SHA256

    ae982b18348d7fc195c805c85fdcb093e1efdcb90292a115064325183ce681bf

    SHA512

    6f508fda04d5d3fd88f7cfbcbbae40efa5be9affff7e9e4f126d94208e44ca3760cc461aa09e72a9e0773c1b99c5b1d284493c67aaaa578d2d51743d4ac4d1c3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    3.9MB

    MD5

    387e0baf398f4846b1973eacba0a6e88

    SHA1

    c7fa0a443da4274ed29190c5b826f45fad57ab22

    SHA256

    f804ce4a04f397272841e6f044c465c1c3fb55a2a0927c3a39c57796d19920a1

    SHA512

    8cf7bf4cd304d3a12e5393e96cff1380a7405a98b260380f1de8400481de094ebf313c044cb5f8d36707bb218a57ba5067df77f1292963698184d6441581cf0b