Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
1d604908f917403385d726c694a8b040_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1d604908f917403385d726c694a8b040_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1d604908f917403385d726c694a8b040_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
1d604908f917403385d726c694a8b040
-
SHA1
9c5a6de198728ed1659409e19ffa2bfab9c7e438
-
SHA256
0dbeefd31c074d4961a8aee9bee33e3543174598a770561d0e23f6d62bd2deca
-
SHA512
142af2de8fc29bdeb5b5bf05c1848495e8c4fc0d391e0c7923159c20f3c2db95e06c773371bbe09330ffbeea6d8058560db6f609bb950f27519cf3ff351d34db
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2632 sysabod.exe 2504 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5C\\abodec.exe" 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCR\\optiaec.exe" 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe 2632 sysabod.exe 2504 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2632 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 28 PID 2108 wrote to memory of 2632 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 28 PID 2108 wrote to memory of 2632 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 28 PID 2108 wrote to memory of 2632 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 28 PID 2108 wrote to memory of 2504 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 29 PID 2108 wrote to memory of 2504 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 29 PID 2108 wrote to memory of 2504 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 29 PID 2108 wrote to memory of 2504 2108 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2632
-
-
C:\SysDrv5C\abodec.exeC:\SysDrv5C\abodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5190202bf4b592dd24148ef6979a349d5
SHA1399089da2bd41a06c354d2263f4721faa6be8693
SHA256d5703adc068a43ba8f91fbf3feda4b9b4ef2ae5c74fc472a29a0ad9dd98b6983
SHA51221dd90fd902f67505d20a4d4fc9075ae7bac4f6573706d5b8e62235da43f738a46390bb7d04074b2c4f2e965dfcaf697487bd7a9a0e5eb4a59e71bf8554efa16
-
Filesize
2.6MB
MD59a0c3c9155f77810721e7d9080fe42ee
SHA1a54131a774ed32aa2ceb2e4f9338347e903bf3f6
SHA256991e7c03746cdca059658246c5b3f1a105b6a5852bf7b1c2321a3bdf2c263a49
SHA51283d803a7150fd8bed8bd6755260a73a3880dd9b582e6b3b52c80d454400f6c3dbf72d1926ba40337a7a327bf8071d6b3fa285b14b2aeda69356ae2e927c53465
-
Filesize
168B
MD505192d27c4dbd0edd026e25c5a3590e7
SHA14cc0e2ef0a6e7b190007ad3d8f15fe09043ab970
SHA256a631ad3275f01487ebc72e920846b12d38bbd580458807c5cc2fc01999c9abf0
SHA512759441844b753e6a8c636eb042ad0661c9bf418737ad12a6d3ffe28b33159110d53a0e3a3e20064740aacd23de418bffc4e69ce4739be86e81fe6517006ccbce
-
Filesize
200B
MD5fc1d292de70d2ab7dbc0cc5f481b3706
SHA17eb1d235531ba3b8ca3983ef00d600e459a669c1
SHA256a6f43a7eb127b3a2548e241ae2da2bc323f9b969b0bf2b3c8a4b592312a1aa83
SHA512e549c7cd0db6dddc1d889172b41d21d64cab34c2f8a322e96c2b2b5dd2b3730287d05e14929fb11ee4c47e4b3c715ee4ba2d7e8adb636785e6a3885ab601d4e0
-
Filesize
2.6MB
MD5086fce2867006ea3eb6f72ad4757e9f6
SHA105660b2d1beeaa1d257785de087376590d21d960
SHA256c390c581550cdecc196da925e25a512310341119a5da5a9cae989967a0991616
SHA512fd726d891b0f9a90c502f385ab32c242d512b34daa53d334a3c070f0c3099055aeaaeaabe5b8d184b8ded4accfd1d2d6f46b3990c4016812bd1743b0b78a42ac