Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 06:41

General

  • Target

    a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    a9f5ca7ebb7f8249faffc03cea8caec0

  • SHA1

    c733f0d2e3efcd2921e21acf25daac936ebfc3d8

  • SHA256

    d79c4c4d526bbe186769da5b28e847c6fd0cf5a3f6439037ee850c15a48e3fc0

  • SHA512

    67b5a4670233c10474e9d388cbd567d46e61125d23fb4ca294d40d4585ff55fef65dee8691a406b8c75395fe95244f8328ec773586cb165679ce72c52f351b56

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8:sxX7QnxrloE5dpUpQbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2792
    • C:\FilesNH\devdobsys.exe
      C:\FilesNH\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesNH\devdobsys.exe

    Filesize

    3.6MB

    MD5

    58d490ae112f8ca92229d810911e938f

    SHA1

    eeceaad69ba15569ff53a568092aca4f5717875b

    SHA256

    9c4f05c69841a561c8623138a52ffdb5b05702b8aea88cad95432dd2d741951c

    SHA512

    13ee4dfd2f85acc9df685c3af8e3a998402154169422ab1a3476a431648fff3da19786aad3a732d73325723b09f3d623f9ed58501a2752877f9f0091f30ce809

  • C:\GalaxW4\optidevsys.exe

    Filesize

    3.6MB

    MD5

    f3610061718960f1ee41d7eb46061725

    SHA1

    568a10c2bfef4bbdd4cc785b79622c864a36bb44

    SHA256

    0548192f11fd60cde9ed64e6503bfc685474d51a2827882aeb74093d5ca2345a

    SHA512

    a44ea16930e35413ab3380dfe3a0bf376d607135f96264552f1214fbeae0cc31a69edb7f1199db7db5257a9b914d676ccd70f32f554d63a5fd9bd51d2487661a

  • C:\GalaxW4\optidevsys.exe

    Filesize

    3.6MB

    MD5

    59f9bc992b2a8ab2aeb9fbe2107c0388

    SHA1

    22bc93ed8834b26595ed04ee5561cd2cf320e785

    SHA256

    740bfa163df2579d0cf64bab737529ff3c27854d0912965bec2ea2a57863834d

    SHA512

    39284fb651e09fbe1c0399226b8e1b4e0193b14dde6bd72c49a540037ebb9dedb078fba37aee4de87ec0ca5fda6bd8ad02374fe6cbad622f4dc2dae2e10e2211

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    175B

    MD5

    d1dff0904a8984a3549a33ba48663046

    SHA1

    5a0855418a68801cb27eb478481cc0606898c2b0

    SHA256

    78005de5783d8e7f62bf3a15dd45c97d19f344db5458a51de1e7a405ef2c442a

    SHA512

    3aa512acf83a04055ceb3fd3755a5ebba3beeaf4a32eec2cc5d29a40a74606f8f5dcf04632a8cb0d6d49359802755e51c046f3a6d8cdbd947605c15b32eef38d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    207B

    MD5

    360852f022979609c5317969978c48be

    SHA1

    6c1dd03628f712690457f674964e6f0e1d3c1bcd

    SHA256

    5693755ecf5eab27806aaa6562f84fcbfea255cb22d983228f056af4ee2e6a8b

    SHA512

    34fedec32cf010aa1886fac1c43f5b77174402f3391e64408fdce82a9bd48fb29d0d8d7c5fd5cfd46a046104e2674ef60f927391c0b98aca38e3ad4af25b7e72

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    3.6MB

    MD5

    2aa65e56ae8a96d18f54b6c75bc596aa

    SHA1

    8fa3d11f5e301c1ad47d5018fca96e3afd352843

    SHA256

    4b2e20487678cc6420aab78b9815b17aa3ad1cc1ac6bb8edb3364ad8672cc174

    SHA512

    c8ed94b3b7e500a3356b712da34c20a373581132eb79834f1e0b2ddc7b93de7cec386ef226ec443fa89371b96e3813e82c556650d3cec34588210ecbf899e760