Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
1d604908f917403385d726c694a8b040_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1d604908f917403385d726c694a8b040_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1d604908f917403385d726c694a8b040_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
1d604908f917403385d726c694a8b040
-
SHA1
9c5a6de198728ed1659409e19ffa2bfab9c7e438
-
SHA256
0dbeefd31c074d4961a8aee9bee33e3543174598a770561d0e23f6d62bd2deca
-
SHA512
142af2de8fc29bdeb5b5bf05c1848495e8c4fc0d391e0c7923159c20f3c2db95e06c773371bbe09330ffbeea6d8058560db6f609bb950f27519cf3ff351d34db
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 1112 ecaopti.exe 2100 xbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe3M\\xbodsys.exe" 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHX\\bodaec.exe" 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe 1112 ecaopti.exe 1112 ecaopti.exe 2100 xbodsys.exe 2100 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4944 wrote to memory of 1112 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 85 PID 4944 wrote to memory of 1112 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 85 PID 4944 wrote to memory of 1112 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 85 PID 4944 wrote to memory of 2100 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 86 PID 4944 wrote to memory of 2100 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 86 PID 4944 wrote to memory of 2100 4944 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1112
-
-
C:\Adobe3M\xbodsys.exeC:\Adobe3M\xbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5395331e434fb67375040e7c2d52cf206
SHA16e52480c2b3ffb2c807d6e9ed0d166b1d0ba3707
SHA256db9a94c81273ee8eb166c673c6cf7b65d0aaad2b4e6d9795cc51e691c27339c0
SHA51222f31c55700c6ff59102af26263c392eaa0cb4215a2ac853561a94415823dba78be982b802b7b7a34d59b8682313df155f1e6fd6df1f5682932cc213c83ea208
-
Filesize
2.6MB
MD54d750cd571c5bad3643f9c9cdbe747a0
SHA1f3d1714f5b10ca1d5bb01339ec20961e7be83320
SHA256e93d2ff3806eb9226cb152c62bbaffc42a7e155f551575865dfff64aa0ae34e6
SHA5122d1b9f13c5a3d3d88727d1e5f2c765336fddaf3df6fa33aa1034fecc002318a0e9369feb108635ac17761101913ac4285c75ad3c12da6bc359d66776cdf77c5c
-
Filesize
199B
MD5e9fb1d686f50d35dd3b54efe9febef2f
SHA1381dfb472486c3c73292625a978e0ffffe0bd9c1
SHA25678f8b13436cea1064694af9e23e568e008c6e5c73704aff94bbe4753476b87a1
SHA51212479cbf1578888c23dd66094781f47ea7bc9e499c9ea521eae03fffbedbb3d46eb0283cf0121ccab656656d7884f7a92de87b2f9a829fce7b5f00163d185294
-
Filesize
167B
MD52359deabeb0bcd118a9358b4f85230ab
SHA14f245d9c1a77160b7bff140dce7eb8a4b8a3cfdd
SHA2566b06c57cea82f387fb2111e6a41f8a821e1748ed0fe2dc7fe5feb1d099ffc778
SHA51206ff1ba8a2e47405ff0f92a28ab2fbfa87b565d283ffcc9882e81c51f51b6e527db3933fd73d6f5f8c525f0fc7a74ed92a39d3ad0d7df5706c089bbd947b0308
-
Filesize
2.6MB
MD5f4e39854499a01189ac56d6f62ac207d
SHA158619499427209916576dfdb2bedab80bf038514
SHA256538a27b7cd1afe90df16bb1db4d24c6f2508f7f5127ea29e576a58664399d027
SHA51248117cb7db55ecc6780f39aa5d05690d614376c3db550755f84d78a930a02f407b59cd76a468915fce623b7d92cb72614f724a2cd3fbf6e8110cf208426380ce