Analysis
-
max time kernel
149s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:34
Static task
static1
Behavioral task
behavioral1
Sample
9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
9d4ae5ae39aa1c037118fa15b464dc50
-
SHA1
048df40460e2574e3aec0f580f1b30e6ee46c881
-
SHA256
2592cccfbaae2a195af5035ecacf092a2d01b491bf02676ac26589efca2a5243
-
SHA512
488bbb96e5ace473da42726ff0e18ae41cdfb1ff061815a6b76a05d370935e9e45452e746a9acab8bd8a0a3dc922948286da2168da5d1db27e7edbbbd7261b22
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUpCbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevdob.exedevoptiloc.exepid Process 2256 sysdevdob.exe 2552 devoptiloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGD\\devoptiloc.exe" 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBQ\\optidevloc.exe" 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exesysdevdob.exedevoptiloc.exepid Process 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe 2256 sysdevdob.exe 2256 sysdevdob.exe 2552 devoptiloc.exe 2552 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exedescription pid Process procid_target PID 4564 wrote to memory of 2256 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 87 PID 4564 wrote to memory of 2256 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 87 PID 4564 wrote to memory of 2256 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 87 PID 4564 wrote to memory of 2552 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 90 PID 4564 wrote to memory of 2552 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 90 PID 4564 wrote to memory of 2552 4564 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
C:\AdobeGD\devoptiloc.exeC:\AdobeGD\devoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5041de19463513d412dedbcb9b654d5b9
SHA1bf3edb9ab6deae6642ad1dd2d32353ba205c929c
SHA2565499e8bd08ed16b244370d84f108ba0cafe6afd7bb93348b9b2950206825da3e
SHA5126c393685b7da9ec1422514688b4167a5b3db1afd797d84b15c7f37fe6bfe3990e63a8bd04964e025435cc24498e036adab1c4da04ffe4aa8c1f60db247c7930c
-
Filesize
3.6MB
MD59c8a422dd3e2506041417004ad901135
SHA1d5b5efe873dde3e177cfd4c14e1485bcabc28f7c
SHA25664b6b5944cfabed098ba9429ca59a141de3c3db18d4f246422077c74b5bb56fb
SHA512904f11e07d002f1c9b7e0306dc94be8aa7f25d3c5a81808e348e418e1e98b482236a6ff9e9d006fdd2234d1abf548e0bc6111bd2088445c7e7b1657b43ca2965
-
Filesize
3.2MB
MD56c08f5f0a583faaa334c90bbbad1bc05
SHA1e700c789c43efab96badeb0caf6c23b8d42af57e
SHA2569d7df895417e18dd2736e02f4793e0e8c22e8856f8cfc2c7877feb124ef4897e
SHA5127feb7683c22493f747b44abca1a52cb34f628148bd139d3636414ff8dbd7727789ee11da88edd589cf2c3696f4425c3e916c8e392104d7520a9b7d8fa3345fe8
-
Filesize
92KB
MD5db60924fdcd457c1cfbb399f4fc7d13e
SHA1d070b431d1d7bd91a603447a3c78fcc8ace5cce5
SHA2564429e3955e01bb133cc7fced719828aa437cc75c681979fc8b27d81367755141
SHA512613a81fbc3927ed714f83a41991dd251fb59943888164f1fcd6caf694f47f320404621d6fa417fb36589b5b3b73895dfcdc2271be07951fe70203172d78e86c8
-
Filesize
209B
MD5f3bf59748798b0e0ab776c7d7c617423
SHA157b0bed10cc179c3837627894224da9601f04d2c
SHA256dbb44fccf5577577c6f9493de6e77bf57f672924a2c9f413aba60556566128d0
SHA512cfce0c8d2d7e48497fcadbed1a8917be6b3aeea2a4f2da9fae20c13f1aca2933e624252f571a04b40abec9da984b783a5edc488c0ed7115de051f5c1441fcff4
-
Filesize
177B
MD54722a849310018b6fa60bc71842b0e32
SHA1b8a691927429a7c7e2676ae3688ce93387f691f7
SHA256007804d6da7afda31bea16d15e6446d0643d8056421d356a362b8fcbf41ae036
SHA5127a175dc9b5d6d73bbef36d13b2b5a75abbb11c3d82375f2e747524c63430372ee778f6a8da2ae2ff80b7838bc58a1be13f3e8ee36ee21ed5f5b78b98d9b51f69
-
Filesize
3.6MB
MD587018a211d52b088ac9f8c58f8c6123c
SHA134ca91305f6034bb56d5bec8a657c7b6bff915dc
SHA2565875af42145dd9b59460b890db6b6f2ebef4f8a927062561a69fc1601d7e161e
SHA51252908b5763589d61b3471d87adac6c6f7a5f816f7ad55c692e38b9017e336f814560c779afe4fdf4be61cff6e094eccce5bdf7aa270aa442067e5a9bfb460100