Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 02:49

General

  • Target

    9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    9c8cb66857908f54e6105df65d80c540

  • SHA1

    10b44ca5be963bfd479217d606b7bd490a29ae7b

  • SHA256

    c209f8784c6137c1474c554169fc8c5595f7d5a736174dd55c4f2ab86c54069a

  • SHA512

    1fedb0892cfccb48ea9f08b7323443e6a31f6095f5c0c6fab2e772c41e7c815814ee548f5346abe585a889bf5f6824bbc40075dcfb15a940a2e9fa7af347cd15

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNX:sxX7QnxrloE5dpUpdbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5112
    • C:\Intelproc3T\xbodec.exe
      C:\Intelproc3T\xbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc3T\xbodec.exe

    Filesize

    3.0MB

    MD5

    8e9ad0a2d993199de521c509bb1cdc7a

    SHA1

    d9587f4556d7a025474342dc1ea7860218938b7d

    SHA256

    88e5237df76de1722ed47e054b1a939bfe3d4db3e7239af234b0b395b3646268

    SHA512

    6630d0095174365ebfd0679969347d677c1e82ad87e20335398c0a94adda6b2c8da2c9cb1ea0019d1116173b36ec182459228631c26d48ee22edc8fe1a430007

  • C:\Mint6T\bodaec.exe

    Filesize

    216KB

    MD5

    6d497fa0fdf1f3ebd025f1292c0712da

    SHA1

    d22b933bba2ac88401d6114137a76a831b275ad7

    SHA256

    a372f5015de51f08f5acf92f60363d26d2dca84357a31411ca3125fd4b2c9906

    SHA512

    9c00eb441c775aa6cf3f17181b96d7db3132e049397be661a97666c22b62692a2c30c89b606cb70c48589257747d1e12b051327b048b99cc071c95391d5524cf

  • C:\Mint6T\bodaec.exe

    Filesize

    3.0MB

    MD5

    b807c6b171034123850687821d0e8913

    SHA1

    0720358194697539f5f91dee7ea6b958509e28c7

    SHA256

    f217bf6ecd23f53a54048a5136dbce8a99f4e0594c97a5a63e3576b43bbf9c7f

    SHA512

    636a39a38c99fd044a856947861589e72d6324c7d450cd5313825186283d0e9279e0f103a2bc21518cb1e948c06f27c5399d8ebef6e2181c89b9b76c83ce2e4f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    8fbc5e83f8be01b95f358e685b5e6913

    SHA1

    97770caab78474b03091f8ef2cc8c05bd87d61a4

    SHA256

    7fd819dfac092987ff5b5fee3f1c9ea3d540ccc2f7eb6578b2eba75fd5903488

    SHA512

    c5f168610cd026f4025a628228aa41a1db19e1e74d7c4d62527b3ca959403ef3538dede5a1c018794bc8871259c66a542ceddeb4f08aac3c3e130a6898371088

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    8e384797a996f4363d5fe87dbe423e89

    SHA1

    faf8f3a76bb162711299b43b84a827e5f5874f82

    SHA256

    3a517c71bf18f02fb0081095bd1fdebbc827927c714df69a0cc3bd33c18a7ccc

    SHA512

    27c969c794563802dde890e6e5fe70763cebb57b300866fe5d8e63b6e2a93d33cac56d0ea42c46eae6e35795e01a5f0f3456ae8ee2fdbf4aee5ff4e733437eaf

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

    Filesize

    3.0MB

    MD5

    fb6c53b576d97010323ebe42f9499323

    SHA1

    9884f6739579cf4a6141bc71b0c789e9810bb8d5

    SHA256

    6db0ea938b88429c8d3fd2fd9e67a136965f20e9a2130757f0cff2753bbe1fc2

    SHA512

    033812c1b32361708eaecc2e9e37c6324b47266b75ceda6ac1a2dca938f860f9ab5cb31f9a797563c879bd09858b0b1b5533ae962f0e2c9a69f388a6ceb66336