Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 05:43
Static task
static1
Behavioral task
behavioral1
Sample
41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
-
Size
4.1MB
-
MD5
41d8293d6d470a82147f90db4bbd7e40
-
SHA1
fefd07c84d228b570be7182fb1f2e045c751cebb
-
SHA256
6f249e6ebb3ad3f36ff78e7cd053ed039c70e77e2bfa20adbfc085a2f6801dd5
-
SHA512
9516512dcae7a0d44d0d622464a2b3aae81b6e45e8dd94bedcb70c7549ff7dfb73cf061d174e4a5dc4a3ab642eaa538d2c0c31753c06403152b8d600edcbc66e
-
SSDEEP
98304:sxX7QnxrloE5dpUp3bVz8eLFcz1/wiAUc2:sxX7QnHoE5dux9a1/pc2
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2904 locxdob.exe 1736 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4I\\devoptisys.exe" 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2C\\dobxsys.exe" 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe 2904 locxdob.exe 1736 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2904 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 28 PID 2020 wrote to memory of 2904 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 28 PID 2020 wrote to memory of 2904 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 28 PID 2020 wrote to memory of 2904 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 28 PID 2020 wrote to memory of 1736 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 29 PID 2020 wrote to memory of 1736 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 29 PID 2020 wrote to memory of 1736 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 29 PID 2020 wrote to memory of 1736 2020 41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
-
C:\Files4I\devoptisys.exeC:\Files4I\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD555d22ad436a7db17ae8fcd23362d6da8
SHA1a9781a9b4e83824f0a57269288edb19d4d05048c
SHA25647d584a7c4b639224d5a1caf8af56b6d63347d19c5d46192102a4fe2ec011601
SHA512fae935c9c9bab6e300c762433812cb6169f5c06b3547473e572c5c4c1f5e604351430746aa076650d4ed14d44593d89c671147c720ad8da5436d6ccefba2af26
-
Filesize
170B
MD59bf89eb198107912aacc5468440778ca
SHA195cfc8958d6dc0e8b1b41098301ce447894b95f0
SHA2566754c63839db81ae266bc3b6f638639df6efbd76f3b69d3a91f0738c0977cd0f
SHA5129f866db166320967a2a3dd526bd8fdf18f0d035d40431e3d9bd4f05267de980070eb5b6258ee6f31a3e3831ffeb53aeb18a47072c3ee878deadfcb77d6ff1c71
-
Filesize
202B
MD5359e3a7e3177fe2b9452b11d903a2403
SHA1dbd11b7d6022147ab1b1b050f9fa23dc7aaefac1
SHA2560b61301add0b8435fb1a38a7474280151c857875caa83cbfc63b43e625946a72
SHA512ba5887e4c9a86e221b16841624b08f29d994d4c2df4c703e05af0f48ec3cf6ef2c4f9f64b371f9335f6ac6c939c8e80911369b11623cea21ee0d26654948c0d5
-
Filesize
4.1MB
MD588823baa9a9887e9f124f2f0f8372098
SHA1ccd04be6f02740beaf25ea4a1e52a82ceeb37cb0
SHA2563c45c5aae123ed149cfb06a3c4df99b3a58c0a01c235b7a8bf607b564cde28a8
SHA5124a9c1529be2947934078ec16425afbfb99a4767da4fb1edd2118b0b5ec2ad9334ea02091615320f7aae26d26da4a515478c371ba6bc70d8311a589dc8ab87647
-
Filesize
4.1MB
MD52a34a17e2d690151235af64586a65d06
SHA1e20fdf943ce1cc520509c0ce7e70b4723d41ea8a
SHA256755aaee0f85da6f451a2dba21c51f6060b4f0dc494ec4c4356d09f312be4393f
SHA5123b0bb855f52432ab6a397174f147da6cd19d3340432b15bc2186086855f82e5e5760db6a813a32f5e40a4c3ff024c55f6d0e042b5b5d1bb662876ced93cfc5af
-
Filesize
4.1MB
MD59cd8f0344bf46ae462340621c0615fa9
SHA1630af98ee12788999906efa5b984e19518b46cae
SHA256a88cebd51567baa490ca3774c8879b5737e09670543a0642acb4b81e218cea00
SHA512aa342a825d68b74b8bb2fe10fb03282a3bad508e60e47d7e0ed76a0e7d64442fcfbb13d555af74c5837b494225cfce8417bf8503f4b8aeaecc2b11b2e270ddc5