Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe
-
Size
3.9MB
-
MD5
1dc8ee51bc2ea2dedbdebaa13f155160
-
SHA1
353342a43a29fe2c309e0ae6fc94c597fcc96bc9
-
SHA256
c03c26b58140e15af25e6f1354e61f87f1e2b55c60b7480617fae2149942fc67
-
SHA512
ad83814f67e42188d6f6a951f7ab20a083d07553af03bb0303ea958d0cce9a518373b64d7e249ab697b109ea43ef5ebf366f1acc86b6704f57188de03fac067d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8:sxX7QnxrloE5dpUpQbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2656 sysxdob.exe 2640 devbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9M\\devbodloc.exe" 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSX\\dobdevec.exe" 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe 2656 sysxdob.exe 2640 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2656 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 28 PID 1644 wrote to memory of 2656 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 28 PID 1644 wrote to memory of 2656 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 28 PID 1644 wrote to memory of 2656 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 28 PID 1644 wrote to memory of 2640 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 29 PID 1644 wrote to memory of 2640 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 29 PID 1644 wrote to memory of 2640 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 29 PID 1644 wrote to memory of 2640 1644 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2656
-
-
C:\SysDrv9M\devbodloc.exeC:\SysDrv9M\devbodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5e3aacacec53011b6206a9c3fc1ffbc58
SHA19f49330b81c96e79c03759b83ed706fae399e4dd
SHA2564594010f9028d13fbd9e1c085de36377bd4f1676093cae03bb0a1dae81dacf9f
SHA512f5a6739d266e4b5afcd3eda533faa581a273d99a479a1d2f8fc6b19267e99f3aca0a696ec518d39c523426a4397412e2ca48e899527c65b8d450430850e147ee
-
Filesize
3.9MB
MD5cd383c013ccafa6df1d0e74ffc344cbb
SHA1d58732279c4a3fd08774abfe99f3e20e152717a9
SHA256523a5fd2479a2c6f1018aa8fd23859b3e277e19bdaf7402190031026acdc4143
SHA512ae4b2ce785196e506a7209b31ab56e7fa36ae09e2e0cdfc83da2e76b1fbb416da294e9a36367378e8089e7555e7fb77369d6cd779418e212a3da1f0366a40a73
-
Filesize
3.9MB
MD5de93972e078c742e067860a4cc04872c
SHA14a752e442b8b446ed6f79682a215993ffb9a4a47
SHA256f9ab2c76c5bfe850108ded22ed29e8fc7fb158168709fd5189dd379fa3662cf0
SHA512b4c92843547e4075a35e08ad86aa312829ae413967b6c4269bd808c6948c454a20d6c31d182449d49b98bcee60717893e673e075da4965d66497b0b6326f8157
-
Filesize
172B
MD52864ae6b3fc94f45711f434c0c437a98
SHA1b8897a729a358dc87dd8566f6882e2d7398d921e
SHA256476f3b3c52379502b4bf29517aa72c25963c5141ce298842f8708ca641f32ccf
SHA51275966a6fa4b54581ce5a2e0d2d4ff9cf0645ee5ec8e13ae0f09c4521a05773c2ae9f2278a36df44b6ec712843e25161d51621683a38eee7c8b20d5bf0702b340
-
Filesize
204B
MD5fb88fa4fe6ae30e1a127920aaa78adda
SHA1bd74540048e9ef6ad220de51ebb7a01d8bd49796
SHA2563c56d13873a6d61a494f744851f1cab460deb1befc8b6f4b295c28288e08529a
SHA51256cf4cf76ae44ddffab0dec6896ffcff34b2837f4659957ed1cf4961b0c27adbcb3a622aa9b8ff123c776974c1d1db61b4dbedb7fc05ff89e679cada97b849a1
-
Filesize
3.9MB
MD547a5fef988bff37b15c97d3f9834eebd
SHA13908fa254443805456c9959550dfadc60909ee94
SHA25671a36d6cb306a3680297187e8c164b25e6481e179fa0cae46c9ff822148671e6
SHA512699b60a0c6100075b7dcea12eab3357fb25dd7508675cd1e3c67b7d7a64ecb14cafc795073a1aadadb0f3db26ada77ea043ae8b40ed299642d7474c6c090a55a