Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 02:49

General

  • Target

    9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    9c8cb66857908f54e6105df65d80c540

  • SHA1

    10b44ca5be963bfd479217d606b7bd490a29ae7b

  • SHA256

    c209f8784c6137c1474c554169fc8c5595f7d5a736174dd55c4f2ab86c54069a

  • SHA512

    1fedb0892cfccb48ea9f08b7323443e6a31f6095f5c0c6fab2e772c41e7c815814ee548f5346abe585a889bf5f6824bbc40075dcfb15a940a2e9fa7af347cd15

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNX:sxX7QnxrloE5dpUpdbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2008
    • C:\AdobeGY\abodsys.exe
      C:\AdobeGY\abodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeGY\abodsys.exe

    Filesize

    3.0MB

    MD5

    08c983435dc542ac292418d8746b7b5b

    SHA1

    4165b0c035b3f1ff00e1d59b83ab16cadc78ae1f

    SHA256

    9c978ddb104b9c0f665cff46f8f821462eaae73733350391c824876202c2a909

    SHA512

    0bb7568391b8aa2814e22bf8228b6fa2f33c07b144aeee37d3a137252538f3d021550818458a13d487fa2829196a5aa07a46ff597ef60568894a69a3d5a49a2b

  • C:\GalaxU9\dobdevec.exe

    Filesize

    3.0MB

    MD5

    3dc04bab13dd4eba51b2c578f38559b4

    SHA1

    12d12e1c7f5e61339e353f4ab9e4bdd54125a172

    SHA256

    71bb12ebf704eaa83ee93a10a89c375cccb998b7ce8f6da6e8a06e25f1480c74

    SHA512

    5f5f235c0b19d6d56c7e43d2a474fd9f029ab889900ce6d1ded5f645b0e7dbbc7a0b038c064a619e25b5f398b5fba8c3ad651033ffa9e13da0b661c6b1e2e58e

  • C:\GalaxU9\dobdevec.exe

    Filesize

    64KB

    MD5

    1fe0d14acbae1f4503fe3c851d715a39

    SHA1

    6e9ecb695f2b07b82aa67f8a0c7c244f7baada13

    SHA256

    61af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574

    SHA512

    5bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    ee0cf23979604429a04207cd022f7b57

    SHA1

    d3ac756d6d8caa3abc47228d27a3b3c7fbf52347

    SHA256

    4cd9a16751718102c5122dbafb77d06c9f76a549dad63653354d303c05e5666a

    SHA512

    15b0cfffe289eeaa97ea2ad7dfe0f9ccb4844b631e7cdd2beb2287011db3448b02444dbfab51aeeda3fea3a4e01d1c74083393d158fe6c0df3560aa4ba513ae5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    eeb861ade3da8591f8f20d2a65a81727

    SHA1

    922eb486f71158a5e6441edfe94d36f74d67bb97

    SHA256

    990e49b78575a6826f2b1c2b40a177fd9f089645ff5cb788fe26021453d6a3ae

    SHA512

    cf8064a3cf8bf3abaacefb766d2573aad91fe6167003659f5c3a2de33dc17210bf86f1aa734f155e4179784ff15418ffd16bbdca320489716c103e704a7f3129

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    3.0MB

    MD5

    de8ce670df2a2ff6730b90073df744b5

    SHA1

    bd3201fc7cb8361222e0ab0c025f1a8eb0dac443

    SHA256

    39c904b158fd709419d970775ab002cf429eccda3ce87e29e559358d7346fcb3

    SHA512

    4b3bd952185765ee18cc70b5e25a94f0443228bc050d38f7cbda5d3491121edb47e81206fc4fbda53189629a477266b0e50f76bd8a8d20e38753d29999fba182