Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
9276f79325ba0e41da5ad0d602c1c340
-
SHA1
c06b56a2cb6b8be8b3c684a41e5be89d9f2cf1ef
-
SHA256
ad203fac83feb2654cde73778509b316c899f7ef8383e706c8708f91fb0907e9
-
SHA512
d01b185674eece2724ee3c91f563e8ab17d23a35374d3f158049c505fa5904330ecf7cfdc489b929f9818fc9cdf8841407aff9beb86279eeac993cda52940547
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevopti.exexoptisys.exepid Process 1636 sysdevopti.exe 2164 xoptisys.exe -
Loads dropped DLL 2 IoCs
Processes:
9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exepid Process 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKN\\xoptisys.exe" 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRD\\dobdevec.exe" 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exesysdevopti.exexoptisys.exepid Process 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe 1636 sysdevopti.exe 2164 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exedescription pid Process procid_target PID 2756 wrote to memory of 1636 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 28 PID 2756 wrote to memory of 1636 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 28 PID 2756 wrote to memory of 1636 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 28 PID 2756 wrote to memory of 1636 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 28 PID 2756 wrote to memory of 2164 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 29 PID 2756 wrote to memory of 2164 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 29 PID 2756 wrote to memory of 2164 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 29 PID 2756 wrote to memory of 2164 2756 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
-
C:\AdobeKN\xoptisys.exeC:\AdobeKN\xoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5159cb0aaffe6448704e4011542cfd64c
SHA1d118e593474789e90b400b418fe5698321d5eba8
SHA25607be9c3df18fd321124656f1cc58cfbad80ca7611e0a3e7773bec0041ffe7090
SHA512242627838f6a3d44a5438b060f9d3ab1ee60ed6d9a1983333155d2b458d1843d8e4dc955ac36af37b811f6c06064616381bb86b0840a5fea45e7a691525c124b
-
Filesize
3.6MB
MD5761b9a3f416c10f03ed7b1c469d5228e
SHA1409647b1b673054bf20e1fc0930980a4621f6da0
SHA25682a821533670350ac98e60c964d97906c2fdaa458362fe37bd0ffa2edad00529
SHA51287032fb81518b7bf5575097dea7d0b91438a62298bff461194e5808417547b24830ddba6ecaafb739c01da7ad90403ed4f474d1711f6d3240183513a48f83878
-
Filesize
1.0MB
MD53ffa38fc481cd4e85d44d35731907b68
SHA1d069e35dfeb4c91b7ed2a88ee204f377d258ce6d
SHA25616908559f8dea4738a78ad7257a3d3b923feeec542e542cae473adb700bb47d3
SHA512e0118ec6ed6d1cda45d28e2d07c4c3c41f1344cfe97611766174c4d887dfec7b2e25251c8e1d126e83bc1a5bedd867b4010165dc15064070c9d44734b39f880e
-
Filesize
174B
MD5c3cb2dd504e1e76b44b5f5c4e2610e06
SHA1b501fab865d601a7ed064b8f007f051df726989f
SHA256fb813d7837c8f4b3d88546b716814597270af1ae6223dc470dc1331c67ce2c02
SHA5129bdfee563fa2902388468802302636c49215c78468f1a158bae002f2b18cc19a78a1b629d7ce6768c0db1c330ea42025fe3d027dd70859cb378b34b5305a77ba
-
Filesize
206B
MD5155579dd3159a0882cf2135a3794e844
SHA1cbebd78c6541a48f7fe31dc5ddf76803976730a6
SHA25686553530422bbe5867dcc1c5b3480bcfb5ce2cba0315d3ca4da3b755d184e8b0
SHA512c2ca3c3dd6319c13a87dab0be3d049ace7bcd5f15c12cdb64a466f9911f6af76c9ea7b536a977fbc779e70fc8e689d0cdcff868771aaa581c9e07b560e2f3b60
-
Filesize
3.6MB
MD5be2ff1dc15fdde1296d85a06864f5d1c
SHA1b8b4862e7dd47d8f4e0b6e798237ddf2bb098aeb
SHA2567d2ef72a0e9ba3932cc16d452eb62cc03d61508c8f3874c406ffed0c28aabcd4
SHA51282020fae8f2402c7837a8a4214668fa0ce0e558d6ad6765bcb3986d2c488bba5e2920a246de0a87b4cc962315da351dadb4bf1f3db8396253150bd83c01b429c
-
Filesize
3.6MB
MD5a58348d097e8b6a4c219f21ef2278bd9
SHA15eb6dbb5df43819493520630063c0900d4cc1e8a
SHA256465503084cd5c810df072fe04f6520b87d19a654cb1ea615b8117671e2d1b6e1
SHA51281809f86a3e8c1e27cef3cfea61202096bb24a17ba084e8a16f82fa0c3775198b33e70b9c4962b7e91fe87584cd2bb8146f0d889d436809cc831d391d4ebe36e