Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 10:43
Static task
static1
Behavioral task
behavioral1
Sample
f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
f5136e16d689d43ffc49dbf8e94f7f40
-
SHA1
87fd4ac2e07d66898adeeac14b85c56e9c869b9a
-
SHA256
2d75f95a25322dc84ddda401f7c23a34fabfd02274c445a532dedea2acbdf9e2
-
SHA512
5e2a60add685d74850dece08310e15318e47e37995281cc86aab5228207614315b2667662ce92eefbe7673dddce73dcd0d221a17feadfc4d16c2f1d17f6f676a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8:sxX7QnxrloE5dpUprbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2572 ecadob.exe 2528 abodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXF\\abodsys.exe" f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidT6\\optixloc.exe" f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe 2572 ecadob.exe 2528 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2572 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 29 PID 2184 wrote to memory of 2572 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 29 PID 2184 wrote to memory of 2572 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 29 PID 2184 wrote to memory of 2572 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 29 PID 2184 wrote to memory of 2528 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 30 PID 2184 wrote to memory of 2528 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 30 PID 2184 wrote to memory of 2528 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 30 PID 2184 wrote to memory of 2528 2184 f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2572
-
-
C:\SysDrvXF\abodsys.exeC:\SysDrvXF\abodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5df7fa9e729488246ee0425f921c8fd36
SHA165591321bf1615113575a4434ff329b861066628
SHA2565f9f0e1f768d9deda245eca5fcfd6f401bb8c60cf37295d8e6bc1b9c66c9c365
SHA5124fcd91e6b1499a9657c425e5c1deae95cfca5946dc851dd4da5aafec5f0cf7d6523afaf2bd1d67b823e68626b4eebc228405862cf4e2e5f9cb5a49ece86a684e
-
Filesize
168B
MD56d949a9b3899e7a9ab231041d70a9080
SHA19097f87cca17c84b4704ead3d12606036271d09c
SHA2560452084b0d44972f4623cbca011dca6d01e0300d5469f5d3c985b4ee0b1c31fa
SHA512da7f6e86fa077c69657121fcaad9198b0add42dce6f1d0fd362f28ad200219c91c6d6e7f2f7da08c9e204fabf3a9afa61a37a7655c1e9818c48438cf55a8e3ab
-
Filesize
200B
MD5461c8d513f979b1d4ddb5d7d1ad6cd48
SHA1a1058425371677703145eaf38aed7815a5910cf0
SHA256eab40afde7367658717a9e8051c047a52df1283db672fc081ac87e20173f355c
SHA51282c3ff71bcdd1c3c205bbf0a7d3293c0e7fcdfe54b430c331eab2d981ba059a1c03c98b13364d39565c8d06271d9dbcba24f6be2d0d5cb808ac878042bed3641
-
Filesize
3.1MB
MD5220e15dd5527891136f5faf5db678d45
SHA18965bef77f13d4b7efe541f0da6f6daea3d2325f
SHA2560159d71873cf5aef7e2d54b3ddc49c1440eaf5b9ae6b5ab060fbcf32b88a40c2
SHA512f0395c1039bb818a89a8a376cabf32f0f01e2f7dc9251411b1f42597787ba84f4993753a7b9f6b0c0115e705c4f6d5bb8ef7d9630fb605b5b51a145e44e906a3
-
Filesize
3.1MB
MD50fbb3b036957b6a87448dee9c81ff188
SHA1385b34d6bdaef7c16f30afd8852420094a0c979f
SHA25690e2676b0a1da4cfa1e1008da4ad87401582cb3fab109f8a57a9789ceafab159
SHA512de9790f480db055e2e8170e25df772b9b594f0b52ef59248b1d5651540309e245c240bd6159fccef0c90d61f19c1ac154123ae91e94c92f595cbf2cd5990b7c7
-
Filesize
3.1MB
MD53f8d8fb734e378cb7d375aa1c4fb7db6
SHA139714a73b8889424cf93f5f86db9a7cc83b9e7a1
SHA256b2b6039ee683f0db5e46b273aca3ecb59e306983a975f186030890583c18b783
SHA51217105fd2b3c1b92753499e286ca306fc05b20fc1e630c92a1cc0a3b36b0b007a4e6a2eee7e515b48fd49a3d834cbfe071920da19f29d97ff219a5144c0dc254e