Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
7708296758770825dd203c43b4624550_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7708296758770825dd203c43b4624550_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
7708296758770825dd203c43b4624550_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
7708296758770825dd203c43b4624550
-
SHA1
b14636f2b188b10111126620f78646ebd1dd883b
-
SHA256
99ab8c39cc9545caa98e3735828468242e9fa40b34669669144e2ce252839d8c
-
SHA512
e99bd73e6d4a7b5d89759701b5eb94dcb6ef78e389ad50111f925b1bdc8cf8060922ef23f771e2b106ed67d0b286da1f86ba9f11456e150420623af92c848b89
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 7708296758770825dd203c43b4624550_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2648 sysxbod.exe 2036 devbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDG\\dobaec.exe" 7708296758770825dd203c43b4624550_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTV\\devbodloc.exe" 7708296758770825dd203c43b4624550_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe 2648 sysxbod.exe 2036 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2648 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2648 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2648 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2648 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2036 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 29 PID 1740 wrote to memory of 2036 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 29 PID 1740 wrote to memory of 2036 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 29 PID 1740 wrote to memory of 2036 1740 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
-
C:\UserDotTV\devbodloc.exeC:\UserDotTV\devbodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD505e72b07eb4af0df1049aacd39b3f180
SHA1ebb6727ce351059ef9bb672462c173ac5466b8b1
SHA256440422553fd39eeb18b6f223a93944d70369b1ac209bcceb6847bad44715d193
SHA512a8473742b5eb490ac046fb3d5220e59e4c023ec3eeb8891725c059a290f51dd94d6fedb9d5c8f3197dccc6a64bf616c85cf5e7b12c55fb5609dd0e37a0cc4018
-
Filesize
3.0MB
MD5de64d349479f69b68610895bbdd8bc55
SHA126ca7421ef1c7647cd51c68b3fac92b3393213c6
SHA256cccccbf6106dba278596b848891826eb640e945280438323d771768137e54379
SHA512b70bb5919a35129099f2df34a7be700b3dd8ae2d82934aa083cacbb9724c73756bc66d3dc86b267a836051476ec7c135c69c7cc695e61834d7df090bbb53b4a1
-
Filesize
3.0MB
MD5c000603fb33208ee88647981798e4762
SHA11c4251d64addf30017ed66d1981e46c251717139
SHA25679776fbf17f0129380b9768fc4c711d9702e033fb79bce0efe4d9c18fbd35c7a
SHA5129b59f7a9bed7508320160c8c589a9bab72c8ee981cef2c056434dec1750f77702cde98eb8b504125158670ec27216ac5770af685db655f85dea6b0123682eaef
-
Filesize
172B
MD5be259b90fcf3c1ca2313f7509949ef46
SHA11aa5ca8d9f3267e9df1b66612c7010c930be2d5c
SHA256009790ab4203d870daac86e2e1dd66f07cd24360a8633f307d1db2160cf33233
SHA5124d58f4887f60b6f148987711bab19446ba8951db4c5ce7ccfa9d206cdc82bd3f3c9093d87bf998d2de08322a8f7db5d01f77515210a48222e8d8cbcb76820220
-
Filesize
204B
MD587b6bcc461dfe9df391f787e0b69a436
SHA1f6a492d9404b62ed47d568564d5e27b5bb7e90df
SHA25678f609a925912342db9d6eec4acfd094b5acb762275af5fd99f8b87fb45ec4bd
SHA512c0e5c096272b781ed2c726acafa1c6f1723dd4008e2cfb4108bda9a3c01e531d381ab0e389b40f6b9de8590c15cfecfc600bc2856fc503463fc6955e64ee69cc
-
Filesize
3.0MB
MD51881c5c2a75c846029e83ebc6bec31c6
SHA12dfd6db8326c61818ad5034f346dc7131afcb3c0
SHA256a5a6197bfde772fc164089906a839dfda0ccc43e32a75ca5ca962856a97b2653
SHA51233b26c0f773c1d84083b99b68c751edbfe9e8d3b106415d453059ef3ef55cf406936ed78d14664f895e5e378e0a7ef10595c2c7ba7cb06756f6643f488460dbf