Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
18e4b311da973f96bdc5fa89bdb1f9f0
-
SHA1
ab892e53adef8f72b9267f22d00be349566c1d40
-
SHA256
ed8e54a4324ea0f52a9102821073aa15bdf95933054af5dc5d3d15041a11645f
-
SHA512
c4a3de09ee46894960d642486968fff211b3b0eb6bb32c63d0a8997e031c0490c435ccd7a9d3a9620a371c4defdcf7e0648f84ddbf0798135bf85ce5d8d28e60
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 4180 sysdevbod.exe 2024 aoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOH\\aoptisys.exe" 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8R\\dobdevec.exe" 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe 4180 sysdevbod.exe 4180 sysdevbod.exe 2024 aoptisys.exe 2024 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3588 wrote to memory of 4180 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 86 PID 3588 wrote to memory of 4180 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 86 PID 3588 wrote to memory of 4180 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 86 PID 3588 wrote to memory of 2024 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 87 PID 3588 wrote to memory of 2024 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 87 PID 3588 wrote to memory of 2024 3588 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4180
-
-
C:\FilesOH\aoptisys.exeC:\FilesOH\aoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5f174f3a13923af4f86158675e1f78c59
SHA14b5fdb20a7b8db69b2cacf573ebfd70a7fb1d727
SHA256db860d6b861cd1195091157ffab3c609f306552683cbc4044f5d8a61e0934fb2
SHA5125cb013f8ed89600b8faf2bee85f9acb71c41ebbc0e7cca9d512b846fa4a4889d314716193bab08c4d94c7a1e1171d575dc0c590330744e2b344ef37be93d0e0f
-
Filesize
4.0MB
MD54d7897cab0d40c5d073313fbc39472bb
SHA18a763508a9df9847be89f93cb1c401f3583b8a3f
SHA25698985c258258b188ca917f9c3b53d0436bcc6a76ffad44ecc2988ea6ca2ba444
SHA5121c14522049917b57d0dfababf5395ac3c4531f8b30e01a32bbb1ce7e6197c525624f5514170e1f8b230c0ba2b60e22893bae835130b58f29dcbbd6979cd9f1b4
-
Filesize
4.0MB
MD551110fd08d8808dcd8005334efc0fb35
SHA11e53ecc9a55e60c4248894e860f57f3f339d5fcb
SHA256d8bafb60ffbf5d6363ab96930afa42e999096856887af056cab4a01a13a7a96b
SHA512dde3cec0c95b488d175a34e8690b2c76a19f8e1f0a05957a6943e5ec4fac23c8495f1d2cadd5e64ebe952f3698b932ea5503f7dcc7d840cc2df8b70a362a61e7
-
Filesize
805KB
MD59de3732d89168273a208fe06e03cd8b2
SHA1ac0a6e4cd5d45ef7900d99685f898b7948656ca1
SHA256c1bf19d73c380f7d05a728b1d32545aa938fab9a4a9967709ef5151f8fec035f
SHA512e82d07f05da07cfb74637edae4fd85e8ca663a69c5c8a3c836dba4464400bc679e99025c9b71f03cb189f4ab66185ff107271f9194c9d0ccd6c00a4a0ff70496
-
Filesize
204B
MD5fa5fb7767c2d07c19bd3b697680f0fc5
SHA10ed227be570e06a782c6289bc35e3a90e2ad8cfc
SHA2560c60b70960d7d075eb7124787d3631b0af1b07980f787f04c2e72670c0b3136f
SHA51284bfd9974b483ecbac568fd4803c9b0cade277cea108ffd38a4dada0c4791f3742f73c25d38397999e5329d75c5e5c343a220c57706c617e5e729911b1728648
-
Filesize
172B
MD5792cc3ac79c7635d2f3c1d9aad57bf84
SHA18fa624b7b2a4855252ed44f44066028b039d655d
SHA256cf8277cfb5633b2d630a28a4b556cb7ff6016c35329b9b8a8197ae4271652b9f
SHA5121484a96c81f5ba04620908596156d0bf0970e05d7929a59668b5737583495c4d6c34f7d9a39302c6c4c07c67cedf1691ecf8b6685eb5c5d6cc3a83ec22463abf
-
Filesize
4.0MB
MD5766ed5059fd8fcdfb2a51c72cc5deb3c
SHA1985f876e47fd4149cbb4268c6c886369d46d7a54
SHA2561e30bbe43a8241393e051cdcd561c6097d8a0fb946ff94282bb8c5a6bb4146eb
SHA51220edc4b1495e4dc7fa4c5dad7592b782d8c57c9d5dc8683d17220ba824561e5556298223ad4f6cb060f417e2bf43bd4d26d1fa4a375fd87daf758aed1d565153