Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 17:22
Static task
static1
Behavioral task
behavioral1
Sample
02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
02bf927ea3e045428e9b0b00a75806b0
-
SHA1
bd6d303b071ecb86a3f5646290ca4b04328168b6
-
SHA256
0249dc90c9d106d075a4b6aa40c00ff321689a5097dd46dbbfc7237ca2292a59
-
SHA512
838bba160850ee25fe216e0807afd1949f9fb58d3ad110aede84e998d6af0ad070617c7bfda2e4d89c02d53a88bedab96d237e4f0e7b821ac14532e1e2e57e49
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpwbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 3016 ecdevopti.exe 2172 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTJ\\devoptiec.exe" 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBS6\\dobaloc.exe" 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe 3016 ecdevopti.exe 2172 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2240 wrote to memory of 3016 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 3016 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 3016 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 3016 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 2172 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 29 PID 2240 wrote to memory of 2172 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 29 PID 2240 wrote to memory of 2172 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 29 PID 2240 wrote to memory of 2172 2240 02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\02bf927ea3e045428e9b0b00a75806b0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
-
C:\FilesTJ\devoptiec.exeC:\FilesTJ\devoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD581b34e3d90f0da9c030fc74ba8aae328
SHA15302033a32ac4fe165d3774ca66b9af425158133
SHA2567bd9aebebdfaa6f2f847d2faf34e06302013e61543943da56301db02493c29b1
SHA512ff7605caf5d109653f9c92fc336cdc59f901a2a96b444aa5c0ce6f9850c7c793b4e794525d31f33748998c4bb352e2df26cec30aa21ef29035a26ad54862d9d5
-
Filesize
3.9MB
MD5bf0bd8b662ce103fddd57a63ed98a09b
SHA14f6bd6c269ed47144fe0f187a3dc84dd12f43519
SHA256566546c8236cd019211aed7b25efb034d6790ea865f307ecfa54a9217900a383
SHA512cdef21b24deb3b3ae0bb658436dc5db53ff8ce992cc17e1e9c27f26be10737c3703028f15ed1be710d803a298030c95bd9e9e967fe584cde1881e2cd89afc5ce
-
Filesize
4.0MB
MD598a83d662149f4f63909a8a7a9fa9fd6
SHA1a697a1970a7f8a180df5d5e5e3bcd61600b3a636
SHA2568aed944be0ed1a47c4bcaf269fda0ea91fc75b04f71e6a5ea149f1d4a04c1343
SHA512e5c88b488d63110acbd126416581366ef61ae74e56df05777f827aa2ab94ad8c49dbb244c665b1615403f0adaac28cb8ab8df5e76247142feb2bca0863e6135f
-
Filesize
172B
MD5a268ded041bd29bc419d1f158ae44092
SHA156faa46a8738f14b100ed5279eeee0be5b093542
SHA256ce7a8a30f7eda5bf6364c7339c10695a31023be22569f2c4f00f44a75743178e
SHA512a4115bce5432c4daecd8e3fc943b211a9d87c442b21306f9f2d442c7d21f04123a9b0e7e755831953ae315c0e5d976be97426182eac286b04fd610993de4a30c
-
Filesize
204B
MD5539c8c652ea4ebcf1dc1e58000557b59
SHA10a4de3cdf96cab82688a32e65811113f06f3de17
SHA256cf82dbb65ab3f9226d95ffde1af0b6077bbc630ef1e41fc8b6bf3955e0b76302
SHA512728d4b68b9e83072195d18216b9078b0a9ebedf23a65c7b4794f63ef7edce007f28a3c7d2fa2fc18053eb26dccbb05641a95e2e346bcef33aaa5fd59654c61bc
-
Filesize
4.0MB
MD5a510c7a69b1b163855c7b245d4d5d124
SHA1b3049a0d91daedab4e3c72625905e8d535c34956
SHA256672038e252493c3fae402f42ac61b87982d27c55ea2e31f8f512fd9208a744e7
SHA5127c1f1aff4ad5a0c76810257a3248f5f36e9f4c826b000dcd8ef065f03ff8bcc346867b8cab7b035bc41eaacd33b2bd55bdda75a51f05364eddc21fcdf20e3ba4