Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 07:08

General

  • Target

    aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    aba6ab98809f9dcbd40421dda81925a0

  • SHA1

    883758eb2068175968eaa6ecb54aec9699077f91

  • SHA256

    8068a13bfa8cc3ff5bd3021c20d7e6c518b10f6d0a2482ca2be131ef400cb436

  • SHA512

    49201be6386c146f7a3dff1496468d183efab1da73d0e93e52fab948490a54840075576d75d6f9f7b95d742164a5c51fbaca864c26471f62e9bdd5e054763bc8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpbb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2912
    • C:\Intelproc7B\xdobloc.exe
      C:\Intelproc7B\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc7B\xdobloc.exe

    Filesize

    2.6MB

    MD5

    a90cf04bd623e1f090a3fda0fb46559e

    SHA1

    730906136e88664392fa59c47bee6d806d3ca0ed

    SHA256

    1ec32adba6d8eba4cf70f084906b09b89d9d8d58f4be6a76d3039a6f1aeb86cd

    SHA512

    780ea97bae8d8126a411607ba1e6b31736085054d57d81ce3e769aec1a08b7824cccfbb841a1396435e6469f0ecfcdd3fe30eb600ed521723acddc511ef230e4

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    2a5d7f2d1bbfe8db1a081bf5c6531e7e

    SHA1

    b159e27a7b95d1281d25b5a3a37f1b0851c12cc9

    SHA256

    e41b7ebfc0c0d05d8b06f1506e81c65e4485bc1399c9495b690747f878ef05fa

    SHA512

    b8b5906f6834edf543fb20d812ea3fb81d4d66b1174f53b1cba4a6e7eb3216e602240ce358a9a8692a869d3b055ca33afbfb0a2a9715dfe470ab05ba421fb5cd

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    ce0c3fc9c6b69fd4d73ac90483f22ec7

    SHA1

    9b88c511ae2ea6f3b257bb16bb113fc1eec0acbe

    SHA256

    95a1caac94e03c2a51c1bf735bd236b8064fe8e6b21a046b3d462e5f10a8259c

    SHA512

    485dcd98814b21d8f14766fdd3a26f70dce08762e8f74142a27a0d38412e6548d932569ce2e8bac61ff80e4d75ce039d8ae3ea47bea9270da7e105260bf337a5

  • C:\VidZ1\bodasys.exe

    Filesize

    117KB

    MD5

    b30af74c34a007928f25b3c482d6aeba

    SHA1

    111abb46b79b44819e95067b1b91c24e37f73cb4

    SHA256

    1071a2c72c386796b985c82ce94e08aca150bdd2b9c75c6e6b13e0d9494003ea

    SHA512

    4665dd8cede04b8f67c2e8dcb48ec38fe8c556c5692ffb92ebcbc656f7b1880947d4bd439a0c5906b3c93f0d0c18b3b39c79470d1f510dd5c5fa41152e445041

  • C:\VidZ1\bodasys.exe

    Filesize

    2.6MB

    MD5

    34376e69347c6900de00bf893fc58be2

    SHA1

    a01870392aaa97ce6761ed25d9d72c10e6eaad24

    SHA256

    4db20a9808ee9d4418b98f7beec03441be4628cdf58bfb11a531669c73878153

    SHA512

    7e78bdb215aa58eb8b991120260b516ee9bdf037459aab84236cc43e0f8f15cf9a33a20b1ce7a5f02e019b5a47f27aa0532949e55282213fc7d35b46d2faca73

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    2.6MB

    MD5

    f3783b3649bbba086c2e1350b9ae5dcc

    SHA1

    9e9ec753dcdd64903eecaaa02fb0d4979842c1a4

    SHA256

    3197185fc6f31de2ad2f261943640d204d0b39d77113fd709934b7e5853af9d7

    SHA512

    de138ae7021e01a28d1ae90bd76be1eb349c65c3b3f91c5e13b03b10f610e5addcd85729b83f2a368dbb6a921919916d0114a65f3a2293b13b148ac5e13055fb