Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
3c3df56fce82282df4d0f01614375ee0
-
SHA1
b2aa605ecb3851141ed386e1d8913c6116ad8c4b
-
SHA256
f069a0c13ca5c87218abe3c18c44716cdb39fb37554720dc01264897b4ff2048
-
SHA512
7ddc404b57eb95ad7485fd3700470ebd3e2441e1b87a8a9409174eb786f0455c8126feebef856acc71b5334eb8cd4c8576f7ee6b419f002a1ee77dace53ce381
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 3344 sysadob.exe 3744 devoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYL\\devoptisys.exe" 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZO2\\boddevsys.exe" 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe 3344 sysadob.exe 3344 sysadob.exe 3744 devoptisys.exe 3744 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2096 wrote to memory of 3344 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 86 PID 2096 wrote to memory of 3344 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 86 PID 2096 wrote to memory of 3344 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 86 PID 2096 wrote to memory of 3744 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 88 PID 2096 wrote to memory of 3744 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 88 PID 2096 wrote to memory of 3744 2096 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
-
C:\IntelprocYL\devoptisys.exeC:\IntelprocYL\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD58cc47dd48e8dab707f7311aa39b107b9
SHA125d4492f5c199a445dbe0ae730b54ff9e371824c
SHA256f7a6c5d7d14486c67f25dd7ced94afb16b2f7578390325a725c0e534bea5cc39
SHA512fa70c94cce92175ee4590fbd981cfd73130416232145eddd07b5d95a1a09637f1bce0358c655fac3eeb72ce39e7d6f2aa630d3c9a93df478bba3bf3f4a7389a0
-
Filesize
2.0MB
MD52456e825ceeedb20f71206165d49e947
SHA1890f9632fef2a6bf43a9dfd735746c09de658961
SHA256bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606
SHA512970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e
-
Filesize
4.0MB
MD5b73e8bf8c333a1ad05e6a8f5c9374821
SHA1e2efd773b0f6fb7c2cf3de19961d35c76f54ce2f
SHA2566f833963eaf072bc92fdd5bc9e2ad3178a7f9a8778073f5bab30bfccfb4184e8
SHA512f201f5e9b649447f6d65bfd89655b4d69a70e77b2cf24f709e3f27dd9a72d347e5d1d29d6c52a640ca7cf0c4843f41d7211e4c5c2110366a46ca786c0eb6f4ac
-
Filesize
209B
MD5a012c1e96f087446e3321d83eb909b17
SHA16fcb720c4205706e98604fbe61113077abbb7311
SHA256e4daf790e13b6fe0e40083e5c5449af38e6d9e53762bc1f6133058c951196406
SHA512144101c645da222c0f073a8943a4aa8a01f55eb4021b2402212680721a1e53f7f57617a42b34cbb3e12c98d35e48e7017f89b836313e2db76032e4e7b84ccc78
-
Filesize
177B
MD5c6b70840996d34cd20da84b7d85908aa
SHA1d30f9ffabb2c1eb2cdb7c0853a97da6a68be030b
SHA2569a1e413db6a9857f43d6ccfaea751e074cb405732fb396fd002f25730b95273e
SHA51255d9717ccc7cf5eeb8296b7cd67894e06bfca941d65a5e56f5ccf03c7202fe262ce4c1bcda2c47989688c9c0bfd5d0c722bde1ef515ba4a45106a96d3312d1f1
-
Filesize
4.0MB
MD5deb623d98fcfd9f39321ad81e817eeeb
SHA1aafd974fa45375b560b29bf5ae6a08e83dea83be
SHA256703d063f3f7bc93514e3efa7118058ddb23d874e08653955e89d4952557fab7d
SHA51202d45457cbefed988bd9c77dce12749cf3a717024b44c50d395c82b093579c93e44a7f26563a33cab533cc7a6f29b6932506d821fb577d829efd8475ffb63e54