Analysis

  • max time kernel
    149s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 07:08

General

  • Target

    aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    aba6ab98809f9dcbd40421dda81925a0

  • SHA1

    883758eb2068175968eaa6ecb54aec9699077f91

  • SHA256

    8068a13bfa8cc3ff5bd3021c20d7e6c518b10f6d0a2482ca2be131ef400cb436

  • SHA512

    49201be6386c146f7a3dff1496468d183efab1da73d0e93e52fab948490a54840075576d75d6f9f7b95d742164a5c51fbaca864c26471f62e9bdd5e054763bc8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpbb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3772
    • C:\AdobeLI\devdobec.exe
      C:\AdobeLI\devdobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeLI\devdobec.exe

    Filesize

    1.8MB

    MD5

    48a2bfe6d18e9b2809fbd0af032881c1

    SHA1

    4f4d596139e17f50ef35c41f705c8db4664fb118

    SHA256

    dff55c7dcec9a669f79dcf5e7ffe14051a4abf04f89b981b5766154fc4c6aee5

    SHA512

    77165ced695b1960197fff977a5fa7b93e26122fedf09b29d80a9de1ac8d5e2da20f8cbb338aefb9f10e546b64852d224c513a2b9f7256c5a087eecf623b68a7

  • C:\AdobeLI\devdobec.exe

    Filesize

    2.6MB

    MD5

    4ecf984e25822b7983abebeab8fde76f

    SHA1

    962877ace2c499caed927d5c40d9d91fc5d36cf1

    SHA256

    476c04b3cf0c17dc1f0e4c2c0b5bb6a3a6a6d4826fa32e49727269d2d946734b

    SHA512

    c3f4a345a3a8f26e5dd6243406f811bcb512d173d2a6c2e417741732fe3eee3a2c3afbbba1a12e5616a3869eae32c79c8e2dc1c6f2c3dec1ff02919187fb993c

  • C:\KaVB2X\optidevsys.exe

    Filesize

    319KB

    MD5

    c0b763213a6ef2b2d6286f49bc7ccb67

    SHA1

    6cc83b57671efe2294be6cdd4318b015f76f2452

    SHA256

    12f09ea4da55ce33a2dd96f47369a34fb979e6396d76e5a51e444b50502c844c

    SHA512

    2f73455f19d8a76d5cd3d968fd4a43cb5ea38ac0dd5772ee1e190df55c7072e25f9ff1e5dc4f106aaddc05cead7c74201488eaa5400aa2c5498a90720b87fafd

  • C:\KaVB2X\optidevsys.exe

    Filesize

    2.6MB

    MD5

    3b52d04a0e9fe4a464f305453e4bb82d

    SHA1

    c1101796f5e24bd64feb41b915f4ef9b18a7b1e5

    SHA256

    9e7fe6fe7e906fb843721919f7e1194648f3d994fb96af682b8603dc8d681aa7

    SHA512

    14cf14e243718a2884c10e8a109fb5401a0d9fc3f19af7b7a0173b5127d2f88636654dce1b69b3b94e8c2493b50da9200bd5cf4235e937eed4e0601ea380be0b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    18f2b012f8ff4c0d45d1edf9975c5305

    SHA1

    ae5af155f54b5843c2e70534d42fca0dc99dd3e7

    SHA256

    4315fac6c192a2aacdcdab7f5236a225d03cb7f537c9b3c001dee15ccb89646e

    SHA512

    cc2ecb06a60ccf495e862b3c8a05f184fc849806013b69e09762fb1b7d27fb65322c13f7fb1d80931c726d1c29b740b0d8238d01a736898417a1eabfa9b957f9

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    62fb4dc8829041cea82bcfaef63b2906

    SHA1

    d637b8a368e541dd299874acba48cb09a204b21d

    SHA256

    7a7160fbb84b0fbe23d08862b9b8adff9ae06afe250d7052594626c5000d8f0c

    SHA512

    b0a841fa507a31a6ed487b8477b81526466785d9d077c6cbb0c17c203c708f3a5eb70d71d184ea6c4ae35dd8904816e0e57461006483ccf8227d4bf12017bbcd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    2.6MB

    MD5

    b6d6c7a92604203cc1ebd6a101558a69

    SHA1

    93654c768fa980d4b54c3915cb3f693c2f7181d6

    SHA256

    5965e38ddbfba855e09620d1257bb6dc19391641b222805bd83369feb28ee34e

    SHA512

    e82118cbdb6ffdd444b3c1811d2326a89c391f3da2d87ce07adb2b2e1632261801b4af8070759250ab6bc78c35ac58cb5c80d650f002c9597e5438ee01bb1775