Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
7812552ab69315d1846232b2802885a0
-
SHA1
03009a8dd7983504158f7b3db570275cdd3034fb
-
SHA256
8cb8e8317e97f9cc32f42b6d3ec3245c9ea032af1bc139498773d8e9636a22fc
-
SHA512
2f03cab1d20a4f715f97bd04934fe2b3040e7c506c8ad38fd4b7f327f4243a60356b22face80ed6132c80e1e3389f871ffb536cbd5d719bd44be53cae4118346
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqz8:sxX7QnxrloE5dpUpcbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2420 ecadob.exe 2360 abodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXF\\abodsys.exe" 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidT6\\optixloc.exe" 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe 2420 ecadob.exe 2360 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2420 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 2420 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 2420 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 2420 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 2360 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 29 PID 2412 wrote to memory of 2360 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 29 PID 2412 wrote to memory of 2360 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 29 PID 2412 wrote to memory of 2360 2412 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
-
C:\SysDrvXF\abodsys.exeC:\SysDrvXF\abodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5227ae3b17b3f9143121c8bba26367dad
SHA1ce1843d996e40a0363fa9eaeda7f5a2cd3bc7a49
SHA256e9f9f2f5a7d87b48b243df85984daa7e3c83a5c49956ed2b23dc99db74493649
SHA51263c373534ce750fa5ffb4635e2e19ecc3f6c51b7081f7ccb289eb5ff777448a3426f30aa9bb845c1f3505dd6d639af964fb1dee81f15542adedd29019206acac
-
Filesize
168B
MD56d949a9b3899e7a9ab231041d70a9080
SHA19097f87cca17c84b4704ead3d12606036271d09c
SHA2560452084b0d44972f4623cbca011dca6d01e0300d5469f5d3c985b4ee0b1c31fa
SHA512da7f6e86fa077c69657121fcaad9198b0add42dce6f1d0fd362f28ad200219c91c6d6e7f2f7da08c9e204fabf3a9afa61a37a7655c1e9818c48438cf55a8e3ab
-
Filesize
200B
MD5461c8d513f979b1d4ddb5d7d1ad6cd48
SHA1a1058425371677703145eaf38aed7815a5910cf0
SHA256eab40afde7367658717a9e8051c047a52df1283db672fc081ac87e20173f355c
SHA51282c3ff71bcdd1c3c205bbf0a7d3293c0e7fcdfe54b430c331eab2d981ba059a1c03c98b13364d39565c8d06271d9dbcba24f6be2d0d5cb808ac878042bed3641
-
Filesize
3.0MB
MD5d2c06c317ce690648b68788abd0fa13c
SHA102261a0589ecc3cea53d6639c54adc41073ce3ce
SHA256b4215f81c53a05fdf9f21d2962f1b7f38da26685f98a6945573112a3bed1accb
SHA512e620553f50a8a0ef323a535f8a714b468130e0dc0495dd75c1892324e462604ae87b1c14438f17eef20d40d057fcb67a8127bb299e676f7339fbb88e3e368dd1
-
Filesize
3.0MB
MD56bb891bd1b5fbc8a0d1b041b57ffeccd
SHA19cdb8f739f9f7becff5e5e2fd052f012881766a6
SHA256872b23a382e31921319f24a14556c71bedc2ade87a70e280546cd19778ae3b8b
SHA5127f34f820724f8b458ec393782a391e50529a622fc8de4bfb0ebff6d4fa7e03021dd2b4cb802989dccd46b84318ac5237c77ce61e3aa15afcb787e4fbdbc9a19b
-
Filesize
3.0MB
MD55c9a9c502f8949fddf991399862f24e9
SHA10c1140417266fd9e1574c6240b69c717fd05ae97
SHA25661b7d46e9047c5a7ab1d1bfccc0a6606652a7b360879e81af2f0807c7b548936
SHA5121a9b0f09e1a90cb64978eb2e258953e15a38f994a8a025747607deea2f9b280f77e99877ce7e2ed78845b7a52afa0b919f68a97d7d157dc66fe822b4d5489823