Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 03:16
Static task
static1
Behavioral task
behavioral1
Sample
5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
5a23077e9e58a3b323a0e8b90632f9c0
-
SHA1
4829630d1fdd1c7981a915c902eafa18aa4e3f20
-
SHA256
60d45cf36c25afb59d0ebcf196c64fc5e96ed35c156f6dd3e4809d82c557f48b
-
SHA512
f957a3bca3e3e542ed2b210bcf02a8f07b2547eecd21db1ebdda2581efcc7d8d53b10dbc87c038640a348cd13231c5171c858e2bad75d9e50e7f7df248343021
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp3bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2008 ecabod.exe 1980 abodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRA\\abodsys.exe" 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXE\\optiasys.exe" 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe 2008 ecabod.exe 1980 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2008 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 28 PID 2276 wrote to memory of 2008 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 28 PID 2276 wrote to memory of 2008 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 28 PID 2276 wrote to memory of 2008 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 28 PID 2276 wrote to memory of 1980 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 29 PID 2276 wrote to memory of 1980 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 29 PID 2276 wrote to memory of 1980 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 29 PID 2276 wrote to memory of 1980 2276 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
C:\FilesRA\abodsys.exeC:\FilesRA\abodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ec55c202d21f238a14572e7a890b631b
SHA1c388f76fe316d70b37eaa499f1bb6b18cdfb6fb8
SHA256730c45aa477597028916fa943dd2efc93aeac391ef76fdabd93bdde44991b995
SHA51271cc167db8bd70b4d50c7ad5966981e8ac6fd98981ca973257702225806377dcd73b73b725dde85302996f630b4714bb78b885f8104d4f840e94435145bd56c5
-
Filesize
3.6MB
MD55aea361d614fc982dac8a3c1cf7b3de1
SHA1ef4100fe78c487374af00a8b0b260dd6a64d8708
SHA256d180fe16debb3c2ce2c7d5b4d7214a8b2f3646c68ec3537715f2ad8de3159441
SHA5129539bf24d683331d2c6335e38c4ce277ec4162bfd397b4d7c55fce8dd80de8cb3d5f2f5c544dd319b6b99b43a3d95759a4b98d0368cecb17edd38f83ec7519e1
-
Filesize
168B
MD5c706d8fc597fe10c890258aa03e4defb
SHA1fe071da16802a145314d8e17651331a8c24db21c
SHA2561e648df8b1c4135728772bffc527c659e3849989fd90dc4259744931cf284bee
SHA51248afce71354f094729144ad638db74c318f314c08ed4425bc8e15e53ec2d4b47d9aa3798c7f860e63dd761a9c6ad9b732426b063c03a37a2b40a7ae3b8de1d38
-
Filesize
200B
MD5837d8d406931c19607f7226e1718c8bc
SHA1cc6aac10c1e74a6496c10f604569bea449ba7c58
SHA256118994c2b7dbdab71413348bf940b25055092b9fe694ac8981706bae22e63db7
SHA512b1e6a4371b68f472617b4f29e1cc58f007708f94dd331373b985fbcaec9cb09f13f177d01d8d1f5097d5ad6628f6b46f6326a49ffe41cec0a4863aa723dad1ad
-
Filesize
3.6MB
MD5185562596455c1dbbdbed46f8dbbefb1
SHA1ff7859ab6a1e81909c12cca63b575ff51ed3207f
SHA25673dabac6fa44f4beb2a11b19c4f6cfae1c92bcd9a1d61ac88a3c174938d48a88
SHA51228199014896332bfb774b97d98184a506541eab97c16aa1fff1beba0b53a625577a64ba8b8b35e3843e6cd5717d26532da3a0fd67b7e9e97d5abd661f2f5a3e3