844a91968ba6bbf55f94c674d84ab18227cb1e19ab83f0153944906e6a657e27

Analysis

max time kernel
129s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
Size

788KB
MD5

7f5bab0f29526ae50a7c6782a92d1750
SHA1

f5e681a9155b9dde37e098b37125de12b7feda50
SHA256

844a91968ba6bbf55f94c674d84ab18227cb1e19ab83f0153944906e6a657e27
SHA512

69e04784c05054e5e6bcfca2ec973687ce0b5df223076b836a69f04a2d446797f52de5b6e43ca0847ea089eca600119220e08ed675573bab026e0090129e3324
SSDEEP

12288:fL+r/+3mpWWK3G8SCKtHa6d593tNt627YKEwZGkLclBXGw5iFZi2:w/+03K3ZSh3ltNt6uYKtJolBMY2

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX3391.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX3440.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\java.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCX3019.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMC.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX66E1.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCX3964.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Defender\RCX439E.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\vlc.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCX5DE6.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCX22B6.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCX3BEF.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX4942.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\RCX21D8.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\RCX527D.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\RCX53D7.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX46B9.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe.ico	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE.exe	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCX2A84.tmp	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2956	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
2956	7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RCX208B.tmp

Filesize
788KB

MD5
6fec006053341e1629dca60fc668d4b4

SHA1
48ef866593c7ac3e2ab6a82992fc27e978dc99ea

SHA256
13dfebfeaabb0f111dd7402ecf578f6e2187f09218d415444f830921eaca0968

SHA512
f22aee417987f6f5f0147087b6329aae6c1960d73f42b81d35630b946dcebdcf5de7eb540a45870b182761df3c710fe7aba97e2fa7b54cca98e9b88a60adf340

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe

Filesize
957KB

MD5
e77806a07f8934217b7fb1992c3a26c1

SHA1
91a7c70cca72cd04d8eb19b92cbb278712736617

SHA256
daa1de15523a0b43eb7b909c28beb4d173e02985bafbc0ea459cfd8c77f2b363

SHA512
c24a73723aa4a94d662312466f4e359ac6462b8620e75fa7d682dc48f7e2ec608abb4c06dc504a2398efff21ec5e329948ed15d1d8ca78b61dacbded0e0e99ef

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe.ico

Filesize
3KB

MD5
767c790375ac69986ed160fed75b8c20

SHA1
c74bb1c047f8bd10a639699af31b048c43292a2d

SHA256
b6ea1ea633f0de0d44d899e11564e3f1ff018c9dfb849ad40e65349343465801

SHA512
ce795d7b5cac1393598c11f18ad537007c9703a734ef1806a930aa24eb18534bf8f11811d03f0c188a7254361eaa484fa77818b6962b2573a1d5cebb073ddf5a

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe.ico

Filesize
3KB

MD5
b5c34fc5e0e1d40dda9859593349841b

SHA1
551b6657f2b2f2699503e54c7f146de61c84f7f0

SHA256
ab227a7dff0fb5720f363bfd67fd4e203fc99c62c13b18c841b5beb5d0bae8e5

SHA512
d78ce8736d1f97ea17fc07ad2ec329215b542cc321d39622052b18bf783913d3e5a24707066e178ee7b1347a680ab158fc1ee998b553693796e84637a6fbb2e9

Download Submit
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe.ico

Filesize
3KB

MD5
70f7eb6f0e42805134583ac203c2dfd9

SHA1
fc513300d133a9b8a45da81a72a10b937e909190

SHA256
3d275500cf3ebda5e878d81dcbbaa53528397ccbe631aae8fae60de1ffefccf7

SHA512
bf3126bfc018c3890afc1a105db52b9b332ed24228cf1a8e1df715287ad51161ff3fa94c88ef2cbcdda9a10bdc992691b9171fa07cfb2e8b71c35d12605a1179

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE

Filesize
1.4MB

MD5
70fe0e243863e02cd178c6d42a6ebdb1

SHA1
b562bc162e76af7e10ccc459c0fe388b192b837d

SHA256
cef512bfaf77ec08697821b0241f424cf101a211444abb65e2fd87034e62fa8f

SHA512
52f44d96f754dbcdaf9795358cabdc66c571837aa71090bea679d209b3378c0d3ea4baf0c1c20f1484cb6b09875455d0ea45e481d89c86dcfcd8e343f85e3977

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE.ico

Filesize
3KB

MD5
898a86d149560e1e17cbac99d14c3359

SHA1
2172174e7d2c8ba0908fa88bc98482efb411c856

SHA256
e64d8d738f20dcb38d4430d09edb482802a9c776bdc7775699732293b21f387a

SHA512
1ce2422d3b973da83535ba6e1ad38077b15916d5893d24093925c3ceaf36e56f91d5ebf136b80dcc0baff8365a131a5d398de5e0b9bdcc0b31812ee5035aaa3a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.ico

Filesize
3KB

MD5
c368c506d783deba3f713b1d9def8a9a

SHA1
85491a719040cd648b4e59b7015ad3c6ce18c865

SHA256
76a9004a5c7b39801bdec8382ccda8fe94ea5aff0814fb702342f3cfc3825ecf

SHA512
6ca5dbfce7ab6c1ca69c0a2d5c54b1b8ad08ed68eb7b1369c0304a9e1a22df69c3120fd59122a8f4e2bd42d84219162ce4a42ca51965b514222ccf47d9838ce3

Download Submit
C:\Program Files\7-Zip\7z.exe.ico

Filesize
3KB

MD5
a1c23e8a6cb2d6609531c6d7f33f1ee2

SHA1
aeb4a0a2803d22951925a71ed5861b04a2fb1a14

SHA256
a02154034351a96084c018cb571f89f1858653d7bda257bfb57f2dbd3d189472

SHA512
e040cd53c2ed1e0bae6ed7598a823bb487b52cf164c84ef81384ff28f908203c0608707231d18f02ee6268079310899b152332cd0dd3cfaefd4406a871d03cc7

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe.ico

Filesize
3KB

MD5
9b001d081a779a1e1841bd4f4799fa6c

SHA1
8841e991c9cc07e6972d9e52636ca907ba2377ba

SHA256
3158513314ec77556292191919ce13df9903f2b5162a7c2b394271118c6d67c9

SHA512
04f4fe9d6767220bcec26a78a478ba3671bd667cdd06889e655c83f6caa3c52143fc888400a9d823669264d08332f310c4a722679fcb7c1f03b9be52d92b3679

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe.ico

Filesize
3KB

MD5
42bcec3e98359774dc3e6c4f286f2a29

SHA1
60d64a4eef136d68840c47f6b4b123bf2d27a816

SHA256
e1cea795a25829032e1f1c4bf63e9820e4d0bff4a984b04d1ef0f1e1be283360

SHA512
a1afbf90d7d9a76d1de34070e878af26ca427b6e9b8f41f54029fe25affd9b7670c42609e56561064edcefe8cfad81a531dad880d1c46ca29cbf00cc95d8d3f3

Download Submit
C:\Program Files\VideoLAN\VLC\vlc.exe.ico

Filesize
3KB

MD5
0ce9278565508d661035efd0f7d36eb8

SHA1
680c603c0a192e1a7368a0b460dff76c813d9cb2

SHA256
35b828914be90a2b690166a88ed02e2698d45dbd490a792d04ac84bdee11d0da

SHA512
7567d74a13f6b6b8da16577a6aae0fffd475e73e085e292c8791111592c71f250037b9288a76a7fcbf9b30e318bb12c51a83f1a79937f3117b9d9c2beaca5888

Download Submit
C:\Program Files\Windows Media Player\wmplayer.exe.ico

Filesize
3KB

MD5
2e1ab871b24b664b43cd7deb467e71ac

SHA1
814f4e6bb28f02305106f36887666e71efc6e13d

SHA256
71dc4da64ff2a7c1e04d43904e45307d2c8bd85ce3c721533b8bef1b358b55a5

SHA512
c05f4695f2571dea59f3bf26e7f1d47dc3f6bc4bc9418df73af323276ad690fa2592bdf02a248a0a3241d9bf87198bde944ace66e5d6f9a6f5c6f549f1798ac3

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe.ico

Filesize
3KB

MD5
f0bcceefca16469328af3c931e1f0fda

SHA1
bd0947e61ea35bb746355b5cd155b8e6aab72d21

SHA256
0665e47f543fa6389be496605f30cf4ce96e1f2d305080062f83c738daa8387c

SHA512
19be763d79cd790b7c7b605d637018cf555a905de121ac3f031c0c730da11b80f5aff1c4b28fac2b85011be02cb8759992bbd6dc68572fdc031eeccf5dd2b477

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f5bab0f29526ae50a7c6782a92d1750_NeikiAnalytics.exe.exe

Filesize
4KB

MD5
ca2c1ec5ce15d40e0fe8b60c33235a24

SHA1
785be52e2fd0f9aa66e6e997d465d2254ba2778f

SHA256
2f070f490a54dde307bcc87e5c5e1219988923c384c758ad99fdd6332f66bb80

SHA512
489d3be3b2ca68609e5cbe4fed238c49973eedd88499d87db150e6f4a4be6c275c0673ccbd40a39064497b820842ce855920e6d4c00627b9fcb465b1a2c42dc1

Download Submit
memory/2956-0-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2956-3303-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download