Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
7812552ab69315d1846232b2802885a0
-
SHA1
03009a8dd7983504158f7b3db570275cdd3034fb
-
SHA256
8cb8e8317e97f9cc32f42b6d3ec3245c9ea032af1bc139498773d8e9636a22fc
-
SHA512
2f03cab1d20a4f715f97bd04934fe2b3040e7c506c8ad38fd4b7f327f4243a60356b22face80ed6132c80e1e3389f871ffb536cbd5d719bd44be53cae4118346
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqz8:sxX7QnxrloE5dpUpcbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2948 sysxdob.exe 1456 xdobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUR\\dobasys.exe" 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesU4\\xdobloc.exe" 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe 2948 sysxdob.exe 2948 sysxdob.exe 1456 xdobloc.exe 1456 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2948 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 89 PID 2992 wrote to memory of 2948 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 89 PID 2992 wrote to memory of 2948 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 89 PID 2992 wrote to memory of 1456 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 90 PID 2992 wrote to memory of 1456 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 90 PID 2992 wrote to memory of 1456 2992 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2948
-
-
C:\FilesU4\xdobloc.exeC:\FilesU4\xdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD59386bcb69b77d2b14d2d9446240e66e5
SHA1f67368e0a0ebc6b787ece7f604de123426c8be2f
SHA256f978c0badac5e91e63f48989eb5a8a5ab0d1b755b27cc95272c973d3aff3753b
SHA512db531d01d1f7e443eefb2b27b537828bbce322b1f787f0cd3fb1c18f0d949bc35725e08bbc9bbe1a9b2d680de900b7a113cb58df0bc6671eb2dd864737f71052
-
Filesize
3.0MB
MD577323804eee5bc7b6d1ac4039a964865
SHA153aa0c2eb38952ecd5cb8a7a8cfd2afc44f2bda2
SHA256740102b23033fc43b2852b5d815bf5c0e3eac21736f2b2a997438df92f21e2c0
SHA512551b21384a56b20c5b95cf584c3267dfef1e79a3bb9637cd8a9aa5997802654b8b70143166bdaac94f6121713a4676ad67e1020941073e83854419c9dee57497
-
Filesize
3.0MB
MD55a5190dd37f9d52a014e6f78f7d9e6ac
SHA18267835bfc5b6d1ddaf5841fdf26f6221042df75
SHA2560da2b2607843b82f18a1aee997f45bd83fdcb5d65b42ad41ed64465b14ee97e7
SHA51249f84a9c54e3bcb865df1068b85e062d5e079ed1fdefc98bf30b3c3c79d0bc82f892ea6638de2082bc8b57d165499eea1c5a04e1ba8648555a5dc892ab7dbff6
-
Filesize
200B
MD5956feaa236c588376be57a9bfb7f9b97
SHA1b5926b66a708713f7d0c27f64ec1fc1b738a7d86
SHA256d4c95d16f886c5e7da4c460cf12dad3a919ef147bdc07fe20311fcea17e7e06d
SHA5127240dc6d331fce0eadd94e9c166911a664c3450c39a380bd1a2fd519b6606388e6a07566bad36d0880476d819062267c8ef75f7e124a109a9d4c647080b7c385
-
Filesize
168B
MD57dcb7586f0a7d5b3d31868358ff623d8
SHA11393dfa31c3c3ad43ba01cfbb4461bf128dc27d8
SHA25608b99d4b5b8e81e6fd5b6fa98cf2bb0fdfd0bb598d422e4f79f36af61ccfb760
SHA5127bdd865d541ed67271cccab71c502a319b7254492f2c240fa971889478b2c10cbacd2a3ceff23f9254926b81b6654ff35750922c80126cd8597ab02ddff5a95b
-
Filesize
3.0MB
MD5877642e4cd783ec07f4bd75c05232914
SHA14d5aa437d674ce7a55195129dcafc8a710c25634
SHA2565388a0f7651b608daa9da8514a63bff533140a3faa506b3b990c1829bdca48f6
SHA5121b5b498d51fc313861319f86010bd3717881c6bcea6282138e27c8172490f5026fb9ac5ca3a7b7305bf89654708a8b1694b9ab23ce477e065fa786ccf32068cc