Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 06:41

General

  • Target

    a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    a9f5ca7ebb7f8249faffc03cea8caec0

  • SHA1

    c733f0d2e3efcd2921e21acf25daac936ebfc3d8

  • SHA256

    d79c4c4d526bbe186769da5b28e847c6fd0cf5a3f6439037ee850c15a48e3fc0

  • SHA512

    67b5a4670233c10474e9d388cbd567d46e61125d23fb4ca294d40d4585ff55fef65dee8691a406b8c75395fe95244f8328ec773586cb165679ce72c52f351b56

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8:sxX7QnxrloE5dpUpQbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4300
    • C:\SysDrvBF\devoptiec.exe
      C:\SysDrvBF\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2692
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
    1⤵
      PID:3224

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\GalaxSK\bodaec.exe

      Filesize

      3.6MB

      MD5

      d6f9d74b2613cd1c0323afa671e9857e

      SHA1

      2030660277a973271324c4027cc8175196d58fc8

      SHA256

      e99211329672d48bd212dfb3671fb1f5a23fbacd92f5a6afddbaca116c236257

      SHA512

      09046d06988f0f1ea1bd0cfdff81553c8e3b223a029f06fa40e97586c107d394a188eb269fa30a82ecb96abe0f45b39a48f349f2a5af7fa7a7a851966213f634

    • C:\GalaxSK\bodaec.exe

      Filesize

      3.6MB

      MD5

      7d8fc219cd7e52b50a3382dee3388ea3

      SHA1

      69d67251951b0ad0898bf28882977c92cdfdf97a

      SHA256

      d81ddce14eccceaf866eac9274774f6c46e75fd29c16bf32ce1115b494149a2c

      SHA512

      e50caf5a0078dec7f44b93c34f05e8bc8b78427b85f32106ec7b864c376e81065d70fce34865abee587fc43a62c632f3394bf75c6cd54034cdeb243ef74806fe

    • C:\SysDrvBF\devoptiec.exe

      Filesize

      3.6MB

      MD5

      7004ea328c7b101287e2456b4e333d73

      SHA1

      3b7887fdc7cdb58e7ffe2532576e3f008b5dc783

      SHA256

      66c2aeb8eda8c2d068ba31ce6c0b96b19dcc77370fb47d633d7b0e563f1472bc

      SHA512

      f8d29d10bbb5f33d905f89ed33277d272b772411f0789641fa17c4f835cf29c074eee0eaf89c1dee0677fbde80fc702b9a153900fa736fd8b01629ce79cb37bd

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      202B

      MD5

      c3af3a767cd1530ab978f92d5cc310c4

      SHA1

      5262a31189f9a7cb1781612992badf75db0e8944

      SHA256

      6b711be347e28b9e43fc25e534e50afc4fb55a846a0198248efe7525cd436a5c

      SHA512

      82970dd2f5ef4d1b63b6026b02890e92df7544b047f897355bc8b8e196b2eba80a0435fce8ed720ed1488d36af0a597d85f2e5a320f09ba1620a4bb5d286fd57

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      170B

      MD5

      3e56c615370603e664731d73f08f7b66

      SHA1

      520e770ec18073b3af9d893df78d42deb743b0bb

      SHA256

      bfe931248856e3a64c32d4d54599dfb6b81b89754e056735a6ce300d7d432e30

      SHA512

      acb38bac51af66bbef06d17c90049948a736bdd3fef2fc318932687c88f4e75612ff1ceb2f697d0f84901fbe7d1131439ca76d1ae479bf0007250976d3a708cc

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

      Filesize

      3.6MB

      MD5

      8a42cd690db90e12b428154c1b74db0e

      SHA1

      a47371f4eae7f17901bc98b6da162bee047c7b52

      SHA256

      416e9a092655bf9b3bc38177d4d5d34b445129fa10118ea540d896cad18b8284

      SHA512

      10063c423050075c05769b98a0a69e5f32fd2822dad24a48a089333edc40101b27039e249aacc6b37e27b055436b0d2f868af3e08b0fb7d1994a20d2808b397c