Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:16
Static task
static1
Behavioral task
behavioral1
Sample
5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
5a23077e9e58a3b323a0e8b90632f9c0
-
SHA1
4829630d1fdd1c7981a915c902eafa18aa4e3f20
-
SHA256
60d45cf36c25afb59d0ebcf196c64fc5e96ed35c156f6dd3e4809d82c557f48b
-
SHA512
f957a3bca3e3e542ed2b210bcf02a8f07b2547eecd21db1ebdda2581efcc7d8d53b10dbc87c038640a348cd13231c5171c858e2bad75d9e50e7f7df248343021
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp3bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 1256 locabod.exe 2000 aoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocD4\\aoptiec.exe" 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB77\\optialoc.exe" 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe 1256 locabod.exe 1256 locabod.exe 2000 aoptiec.exe 2000 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4236 wrote to memory of 1256 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 95 PID 4236 wrote to memory of 1256 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 95 PID 4236 wrote to memory of 1256 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 95 PID 4236 wrote to memory of 2000 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 98 PID 4236 wrote to memory of 2000 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 98 PID 4236 wrote to memory of 2000 4236 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1256
-
-
C:\IntelprocD4\aoptiec.exeC:\IntelprocD4\aoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:81⤵PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5846f420d2ff4e271aaeb2dfa83826e75
SHA18658064734b3a41f270b9605ff38ca279fe44694
SHA256ef96f4202310d3279c44697c1c9cad315fb83e6cf34915f154205187354c3059
SHA51242d700b9748049718af6a0aef42d90467ba33628ba45ebfb5ded1f42442a7626073d502351ed355210e1ead2054e615c43b60bb135b516cce93c99208806d5ca
-
Filesize
3.6MB
MD5b51798fdf62b5466fab42bbb393002a0
SHA15541ce2c9c1012f46a83ceaff7bacfb5ab408bd6
SHA2561ec498d01fdc3527845b07a1804651e9c6286ccc74ee3e5a6e36fd0252b31f09
SHA512e918c938b9b24f10b530dd17d7c3e844a37b5af7113ea4b9687d7647f73597df0f2d8b7887a7f25cddfb56014d8c40ccb559b192fc2f30caf448c024282542ed
-
Filesize
2.0MB
MD53d61f5980a01c44e89ca0990aa7c62e8
SHA1a089598220eb5b0d94aad429acbc10feebc9559e
SHA25655110208d72f3943be9d8bd5154f66b3059c7644b9bb47e9682c7b99751bf6da
SHA512080ef59b1e1e30de263408c885e06c71b302f24adea3e9bd5e9bcf92b4b31cb82cca5ef396b55dc56db8639b93dcf0ab53a4c881483fc5e7cf6bca05ef4d4f0a
-
Filesize
673KB
MD503f0c6a6fe78e5bc7540c9c0acdfe667
SHA173e6cb9b5478d0fb1f8a6b0326b7f0c1ae71de50
SHA256a303a059788bcf9842c86e9ad1128c90cb808e9363846c03db5b6c959b8de4ec
SHA5128dc59c53d532d5b88a5a872a2379f9191298fd5a66901c3b1cc555db3ab9421abe7b14c91fde491c8c63ec66be72306ab5d6c0bb4813e974712dba8449ad7410
-
Filesize
205B
MD5673b2dfe0636b8effc34f00dee2ad33b
SHA1f95329bf0d1f7e3f40fb42873cd621523c0a2545
SHA2562c18e6483af92afdcdc3db4793a383e8aa3ddbd5425e8205b6145a0a2df1f5a3
SHA512b0376c2c3e2287fe76a0788d3840618ce57fc3f608a7b59fde241a4bec24c44239f60d53c7cc6e697c9c8c5f92bad57b8d28c28ec7dd036ac353e8ca5a7d1435
-
Filesize
173B
MD5299cbfc1d6dbb17153d90037a7e50fd9
SHA119a09fe29443829899c60043efade80403ced503
SHA256f020577056b04361884dd821bbcbceb350399f52414ff86ab416d6f3cec56b1b
SHA51217d3895812744ead222baa9e3f75f5824ab4412a4f61d573303db38e4ebacd8e732d3a2d176790d8bf89d1b407f6803260088b9509c969187e0c9888469aeebe
-
Filesize
3.6MB
MD57b93a4e66fa3765d938db7bf837cff7d
SHA1810688040286ddb14d6ec111bd4cf80ae1b53003
SHA2566922f3c7f9cdefd8c5cced8cc00f0ffaebea77a1d762c6db2c2f1172fa646345
SHA5125ddb060f6d12568f314f097ec6b775f0aa0ecd0e7ebe93e9318363a587c0f371bedb326d449dce5ca86097b8ebaeee525dfc5370f923835ac6e20fe810f0c3ad