Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
18e4b311da973f96bdc5fa89bdb1f9f0
-
SHA1
ab892e53adef8f72b9267f22d00be349566c1d40
-
SHA256
ed8e54a4324ea0f52a9102821073aa15bdf95933054af5dc5d3d15041a11645f
-
SHA512
c4a3de09ee46894960d642486968fff211b3b0eb6bb32c63d0a8997e031c0490c435ccd7a9d3a9620a371c4defdcf7e0648f84ddbf0798135bf85ce5d8d28e60
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2156 locdevdob.exe 2272 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0Z\\bodxloc.exe" 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZG\\adobec.exe" 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe 2156 locdevdob.exe 2272 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2156 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2156 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2156 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2156 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2272 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 29 PID 2208 wrote to memory of 2272 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 29 PID 2208 wrote to memory of 2272 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 29 PID 2208 wrote to memory of 2272 2208 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\IntelprocZG\adobec.exeC:\IntelprocZG\adobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD59110bc1fb1a69c2b6e9bca6fbe0aa852
SHA1d3e96a4fcd84170209c4787f3a43e26017128d14
SHA256af20524c8241b834890aa4ed85952fb15fcb6dcbaab63874998be8c51854275c
SHA512e6b6edf9b2a8d3d7b93da7b555251968dd02e6eddd2a19f30051e47651175693105974c85a50afa301af8a5c5011ff165eb3146e78a9d7694a166434f9b44f7f
-
Filesize
896KB
MD5ecdff8b5d350ea77023b757b2e1f7bfe
SHA14f3b52658bab4ef7b63b4187613263c67270b9e7
SHA2561494a0e0c08d9846b7496dc009cc357611448afbde0eb022a2c71389630d0146
SHA512c475a563a6bbd83bfb039bbd8448547e70b781730c4718c2e88868bbb4d6c7f45034c50a471b5269ea1835b3756e58e4898fa2b4c7e67aaa8c87a9e2e3de7388
-
Filesize
4.0MB
MD53f744b30a4ee5b80c3be5720cc523deb
SHA13e1eed86a6fed1426df9a33a7d6f083edecddd33
SHA2565ace8485469604d5c456e2cd21e4f8fc0749873762c3d630268211ffae516d2d
SHA5123a0f8210eca7808353f8c1ce6111fa1c40a4a4d2a5dcf8478b2dbb18073be843a3b0eed7037a16fa56c86c50a33fe24b8ef0438afc10bb5e1033b0091ff1632c
-
Filesize
173B
MD51b06bde66e02432e32306ae70e672fa9
SHA1aebbe59dd6f2e0ba5b0328897fbd38e5dcb59f3a
SHA256793744710a3a8ca600f86f1c460265698f3a36ea21aaabf1e82b326ff05ee52f
SHA512f12156dff6feff0e585c11acefdd83d2edec0e93f670d5469a075bc22190c0553da15e0869bca5f802000c3ca645d191c8e2b165337ab11c80ed2fe0019fc26b
-
Filesize
205B
MD5a011db449559d8881d912bf4aeb77964
SHA1dabed9e135a364fc2c88e2c38658d6430fcb900d
SHA256e6b48a8eda8535be72d6dfaa0e849f51f205453e46101ca8b94222cf117c2039
SHA5125d89996b97c21f41de15396f5909dc110f723da598338ff08ee3333e2ded5ef4e5c14c420c4f65e5e5f4ef97a28304bd09110520c8ffcebf95363d553ac1c645
-
Filesize
4.0MB
MD587ce960f9580d5e85148f6dea35d967e
SHA17bef8a6ab6d1eb58bd22b017859c1347aac1f84e
SHA25657ee7c7cfce319ff7f3b4f939e71a6632966fb413ab4eebff989dfe20d84c902
SHA51285d44a2ef0adc6c542dfac23f9719590cd6c9cc3dc3489b4602767615ea0587b18b20f29331b9fda9c31d341daad6357f12fdfc2b7da4622085a394dd1e59e52