Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:11
Static task
static1
Behavioral task
behavioral1
Sample
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
9218265fb231290964c8f92d64cf2f50
-
SHA1
f521242e65fd3250e3ae999b05f831b53e593838
-
SHA256
efdbbfd33878cec186fd94c28f219be1af51df0db664e3c290e7545f77b33c9e
-
SHA512
ac501c8265c6df08fa7a4f45444d06f798350f3a6de35442dbcb84b00047ca53f17c703ac39fc9ab5714871ec3e0e04bdb1223eeeb88301f59e7ec5e8603373e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpeb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecadob.exedevoptiloc.exepid Process 3248 ecadob.exe 3104 devoptiloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAQ\\devoptiloc.exe" 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8A\\bodaec.exe" 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exeecadob.exedevoptiloc.exepid Process 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe 3248 ecadob.exe 3248 ecadob.exe 3104 devoptiloc.exe 3104 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exedescription pid Process procid_target PID 1000 wrote to memory of 3248 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 90 PID 1000 wrote to memory of 3248 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 90 PID 1000 wrote to memory of 3248 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 90 PID 1000 wrote to memory of 3104 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 91 PID 1000 wrote to memory of 3104 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 91 PID 1000 wrote to memory of 3104 1000 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3248
-
-
C:\AdobeAQ\devoptiloc.exeC:\AdobeAQ\devoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD57bfa6806c82ccb87583a1413d623a059
SHA16363a8302ec0e4ec88fa5d84b4f62a97069585e6
SHA2562dd2b02e8e0ee2d1a2d223c4afe7706174a7eab60443157c9cf3a03ff6c16c29
SHA512c4b758f1b855ed1692353a4f3927c04a2f2720c0aa4b990bea5338704fdcc213979f64208ad96cf2889cf1fd88a25da292ced468c7caf5c4de8fbe0ac0744273
-
Filesize
2.6MB
MD5c6201d853cd4fab72ce3cc1a402e4c5b
SHA1e6ee620ac1f9a09ebe305efd1eec391e8eed529c
SHA25640e942cdf9d04fc0f7f76ea34874b22cd98f348771ac0d3a606cf0acba8399bc
SHA512702845f84e0d256ee229b123f1a4d7844d21a79f4573cb064ed4e0da37bfe18111b6351063413f83e7cf1f537b77c992d0450860f9f8f07e527ad3bda655f4d2
-
Filesize
602KB
MD578e689b1693a09f0e68385e004a58793
SHA11feb8278a303d75309047e4e7a2f898fbb5588fc
SHA256cab100074e54c13155de6a58365c1adc05490400be37f5d0c40c1b403b208878
SHA512a86c53a25dec391e059b8818790a5ebd670fe9407d208f147da9c3d1a65c84c72ef0425ff38e361a13f903a8b23d0d96951a219d3dbdd8a19ee2d9cdbe54e609
-
Filesize
1.6MB
MD5ec463a08f11d892c223029dd1bde52b6
SHA1b3712ef6852c8285efff050ba46e51db7dd667b4
SHA256eebe92a07fb459ec41bcd5c56c7721e0c6f8407ab8b0a083a539641dcacd5425
SHA51243e70d0e92b9e70a7c3bd693514ec5cb66af71958cb1821b5f668e48e230a37b394aa7af79bc9f125a3dabaf5b81a84f8b6019d08a1b7ee509a655403d60cbe1
-
Filesize
202B
MD5fbbdc9a2c89a3f50d0a7b1978dbe8c5c
SHA158252fbb4d0df8021e268bf5074679e2a9de26ce
SHA256a9a14db8788e6c2325c5120692f755e3871ededd0757e184527ec5bb230f1b4a
SHA512a3da38f340602e01163be40819c3f08a278c7b5bf73da8aba7215cd59f668e62dead112951bbb107ad729c847762f248054e67bb0f8a4cec6ae3fb327f7e6d36
-
Filesize
170B
MD589f0e8dcae8d91bd555b1adf10e5483c
SHA1a47b6df9fd7f84b7f8f3dc10734cec25499d408a
SHA256f46f81e1d33a2056f2850210cfc3d02a4cd2b5a64bd677785b0f6071363deb82
SHA512a1e53fbcef86a8134bf79ee6896cdb13d7c9305742b75c66e2d8f8999e619615858d346c334790a608ffe9ec980493387b06d774ff9835807b7712b34197dea5
-
Filesize
2.6MB
MD5422e51efbfe9dbae5e0289de0e28461a
SHA149461f8ec7a7586a10b8f8119c4ac0847b7e9016
SHA256c63b5f21f351d52ff864d5dc97aed42545432822e032c7116da3d791617b8bfb
SHA51251f71f2e907e0a95bf6a3a9d36bc2124dd76ed1ef3c32520e42893ded7e25ebea29ee93138049458d18ebb2233afb551aca88d61b78a10168795883d700adfe8