Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
3c3df56fce82282df4d0f01614375ee0
-
SHA1
b2aa605ecb3851141ed386e1d8913c6116ad8c4b
-
SHA256
f069a0c13ca5c87218abe3c18c44716cdb39fb37554720dc01264897b4ff2048
-
SHA512
7ddc404b57eb95ad7485fd3700470ebd3e2441e1b87a8a9409174eb786f0455c8126feebef856acc71b5334eb8cd4c8576f7ee6b419f002a1ee77dace53ce381
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2604 ecdevbod.exe 2136 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6H\\bodaloc.exe" 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGD\\adobloc.exe" 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe 2604 ecdevbod.exe 2136 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2604 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 2604 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 2604 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 2604 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 2136 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 29 PID 3048 wrote to memory of 2136 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 29 PID 3048 wrote to memory of 2136 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 29 PID 3048 wrote to memory of 2136 3048 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2604
-
-
C:\SysDrvGD\adobloc.exeC:\SysDrvGD\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5b4e7073f4802ce1a6bf970b42a524ad2
SHA12363d714a52bb2439cbf48ccfbbd1e29536cfe3b
SHA256d0fbb44f041a1019890a0633c8ae4a3715ffc1c135832b18a62aa0d06ca73f50
SHA512fd0f9588e92060d284ba69e18e7e9033d138041b51fffc6ad73b5e5fe27f44655982d943550319aaf122dff540611c5e1e511b0ddf12b15f7735200db50404f7
-
Filesize
4.0MB
MD53746139f59df2bf83446ffc0f4bdde87
SHA1d76e0ddf5f3e0c51b9f0f7cca0a4558e1f2c1b53
SHA256777e02d38f089426e9d0fed1259c5aebdaec2b25b681cdf5e72bed17a9d27574
SHA51243628512790448acb49114e85043e36e3b28284974c164c04007ee873968ae69108ae3d35a9f26ad15a1f38add64ab76f51875d21ab376a3c8c2c910b08847c0
-
Filesize
4.0MB
MD5b5f2c4f840e58fe7dbb9929b7828aca4
SHA1292f3bc411f713a0625510f0da6f573b603e353b
SHA256a57a01e70eae890153ba686815353084d1bc8a65427c447d1e0f17c9b9eeb9a7
SHA512da5606726bedfa724640d7eb577495f574c7c04e9e53bd39c2c722cb83753f9be4215dcb48a3f67bf3f4ac39f69dbe285fecd1f8a6302b2146bbbf99b6d50ea0
-
Filesize
170B
MD5e67a20773f54763c2abd62dfd1afbac5
SHA1e8aa226f23976a38d29ca80d7cf41732b68d8051
SHA256b515e0725c37dff5eb773be0ac3192614b5798d46a352a67f434fff4f11564b7
SHA512a8a9cc8d34d2b5aff344d8292dd8b4b30947c2fb0d750dd6d701310f395ece2a270df25043b1adb9e6dfac36576908779e2a364430eb40f9bedec991946d3255
-
Filesize
202B
MD5dda27ad32db4a85ccbe27ff6e3fb960e
SHA1644175d64f7e41b6fbee0eac161263244247bb0f
SHA25622327df47c7c578c798729697f9a92130698ecb529a8bee8d250ec056d20184a
SHA5124b95424abafb8d8446a447c134c432963130b14d056c373a5ff4df8d949e24dca74e79aa496e063673665f5043f780f834e8b7e8a8f2859b03026ce53e1057c5
-
Filesize
4.0MB
MD5400df63cbb09dcf7b37fa37a57a40a92
SHA1ef98ee73e3d387bf97bc7db85a6d05ee0a196aec
SHA2564fb7a8c7497c5f32e1a98a49a404a9024804cb46ff0236bcceea1e37c60e623a
SHA512537266d6f6f12a8c4392895c1c745c8b46cd4f9402b27d30b247e8964f76e41be4f31fa2f06a4245a57c27c058dee41b1ee6b7b1c8a1563f8940b7c3f40de953