Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
7708296758770825dd203c43b4624550_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7708296758770825dd203c43b4624550_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
7708296758770825dd203c43b4624550_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
7708296758770825dd203c43b4624550
-
SHA1
b14636f2b188b10111126620f78646ebd1dd883b
-
SHA256
99ab8c39cc9545caa98e3735828468242e9fa40b34669669144e2ce252839d8c
-
SHA512
e99bd73e6d4a7b5d89759701b5eb94dcb6ef78e389ad50111f925b1bdc8cf8060922ef23f771e2b106ed67d0b286da1f86ba9f11456e150420623af92c848b89
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 7708296758770825dd203c43b4624550_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 4836 sysaopti.exe 2184 abodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7R\\abodsys.exe" 7708296758770825dd203c43b4624550_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBG3\\bodxec.exe" 7708296758770825dd203c43b4624550_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe 4836 sysaopti.exe 4836 sysaopti.exe 2184 abodsys.exe 2184 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 536 wrote to memory of 4836 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 85 PID 536 wrote to memory of 4836 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 85 PID 536 wrote to memory of 4836 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 85 PID 536 wrote to memory of 2184 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 88 PID 536 wrote to memory of 2184 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 88 PID 536 wrote to memory of 2184 536 7708296758770825dd203c43b4624550_NeikiAnalytics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4836
-
-
C:\UserDot7R\abodsys.exeC:\UserDot7R\abodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
400KB
MD58de603cade6c67d6f6d8b0bd5e668f96
SHA18679939808188f209f7862c5d80aa5e0da96d386
SHA2566a459c064655d7488dd76e02c48fedf18b025561b83c2670db5a62516bb65d15
SHA5123175948953d0aaa2e4ae8367198817296d32670db8591ca1f770fb323a314c2b28e981dd5fc556f2fa19fd9a18d8174910ac431e5378cab830cf7b80ba41eb42
-
Filesize
368KB
MD59e11a956e5300fcacf192025d7b1f995
SHA180f9d7f3be45b50d0d03d4c20e3bbfee8f8ff24c
SHA2561c73f0e6c59c39d932cda4654dabea7a53c967a7bc31541ee4166ea5b907430d
SHA51275c500c8720504ca9b51949d10d36dcf7975c7c9649ed056b197d8ec9009e0ef84c3c2b51d45a8b010e794dfea96f7be65095b5e90eb547d381faf12fbfa5b46
-
Filesize
3.0MB
MD597ff59b1f3d5f593812597013017d47e
SHA185248407a6801e287ccf29412988f00257148186
SHA256317f89793471fa03b2f3827ecede87c04426648dad30deb73d602ec4610068d9
SHA512de58c6660182e3d74fb6d850cb5191dc2eed518c2c7b487bd13139d3031b6612f4a509ef8c4b69b3cf9d78046f6fc2582e956f4b58cb37a976e3d1388798caa4
-
Filesize
202B
MD500737fecef8050d9a8a1ee3e3f404178
SHA1b24a843d6cdba743c44456fd7a8de9234f1b2ccf
SHA25628e46bb4f824958182e1da69171e5c4ca3cf3fec6861508df064ff1abe6b3aea
SHA512139dc2aea93ff8e862d2a06c2fadc9595da3ee136ed69a57f083501bb1e89cdc714da76ade418512f47e812833746a2ffc800b665db32d2840f355f5af3927d1
-
Filesize
170B
MD54e885097337b8c2060bd5d181f0662e1
SHA1764bd332b9a362d1ac3791d95b8cf0b5b57f85e4
SHA256503de247d85c785df64b0ae7d47aedcb0a603b0b28a516807a0e1ebd47b0f364
SHA51204b4be475b32ee2e5ff438b6d4b0f0a1665e0f6a7a3319daa0ab96c3224f8984093d25f423d4779eabe7c43feafaba8a1cbc655e32df431596dba11b15db5219
-
Filesize
3.0MB
MD5f51d8b6730b274fc031482c81bfcc70f
SHA1001bc5f12b361faf4b6684ea9b4606b5fab0f770
SHA2566a49188ded9739ba01aaa64ffb2bff2fc90f586fd446dc7d549297fa6ff6af8f
SHA5124f3731d03667b1f6712f32a7cc0a111d5f03a751f0d048788caa81e1082f4c41b9dccb398a38a1fc5c71d9171dd78fd154f9eb7b092c0cb4d407f139ed672817