Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
9d5bef4d54045895d850aa9dace4b8d0
-
SHA1
a3b959e97b549242681d3df82ffb94d9e515add2
-
SHA256
6e2ad861ed241273bea3ebfd5fab1bc106b7899808a5df5283d91f437855cd1d
-
SHA512
5eafa9678c7be626ab92d36fbb1585777079cb1415e768597288d0ba2c32288192b988c9029cd19f9e74fd72c1d0f39e2992ab2735a7379b0ffa88861c71bf0a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpUbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevdob.exexdobsys.exepid Process 2100 locdevdob.exe 2636 xdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exepid Process 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4X\\xdobsys.exe" 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint97\\optiaec.exe" 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exelocdevdob.exexdobsys.exepid Process 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe 2100 locdevdob.exe 2636 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exedescription pid Process procid_target PID 2212 wrote to memory of 2100 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 28 PID 2212 wrote to memory of 2100 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 28 PID 2212 wrote to memory of 2100 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 28 PID 2212 wrote to memory of 2100 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 28 PID 2212 wrote to memory of 2636 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 29 PID 2212 wrote to memory of 2636 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 29 PID 2212 wrote to memory of 2636 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 29 PID 2212 wrote to memory of 2636 2212 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
-
C:\UserDot4X\xdobsys.exeC:\UserDot4X\xdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5221444b530353587b439d699d10880b3
SHA1c974b181fd6c5271c1f5724d7fa7b6d982bc4fcd
SHA2562f7bde66310909f533475f79e953c4fd903295f9ccdc11fcf4f1108ed131812e
SHA512a2fd069c0343f5fde0b2675660ae1350a98894a6d3e52a4359ca2f4f49dbd3410356c462b4e0bb80ee116d64ce47e3daf1dadb7286ab9a3d0ab74d3d886ebfdc
-
Filesize
10KB
MD51b916c50de9513bd35995ff6e69aef92
SHA152937fef400b241d4a8b1ddd227652b7c677d4bb
SHA25687b86902356dc8919842b25007d34f46886d02128a2a02cb251d67dde3bccbe0
SHA5127d45f793fac4540d35fd63f20caf5172cb11727e67a9016311072bbe1de9cbfac63ba2f8cb9bc93bb3b067ce7a65d0ee23b7d88fc199ffd6728e49343007d85e
-
Filesize
3.6MB
MD5f41ac4625c22e7e3df806ffb41ea3a05
SHA1926ebf4546f02c863f1e2d4af626c1c9a2f368e2
SHA256f30709bdfeff2cc919090929db13238579544b2731268f91f87bff067ac64fe2
SHA5120fe9d1d45b58d09f7ce950c4fb74789c7201cba5abbd3524260f058c6a94077b7df0741d75cfa78dbe535e71f02caf6f93df283cfcd63997b4f8ec009c430cb9
-
Filesize
172B
MD5260beb2db3588c83f2bc4ecfa699e129
SHA1b0d926146a4efea8d8d70acaf1743f29ae16e1c5
SHA256a14c1ea3aaa108f962fb8f3ce79cf6af8f1171c91ba353e8594f2be0c06e007e
SHA5125776a376c2fd63aee513d35aa1a7387536d240d32bb41aea91854579ae369545999a4fa44972fc512ccf9d05db90bc4e9afc90e00abf98c56fbc04167cb786a1
-
Filesize
204B
MD579e97bde734b9f66dab4cd5d794ce085
SHA17fa015c7f1ab120a241eda2bc98566e883d08937
SHA256ac21570ccc57cc1c02561dae3bf3e19a2ce8ff1d79d0f30b44a64e90cdb52b33
SHA512e07d62e07fa6332c6fcaf101eb67595d7d2757f2498fd8bcbb8a9b84c8216fd69cc2f8e2a4111722d252bd762b1142a53182dd7dd68832b798c1ee1f7f505197
-
Filesize
3.6MB
MD539d967c51861b76857518e02442afb04
SHA1a48043bd5df90a7edeca171d457b5e808a34ea7b
SHA2568e17d2d641ca850229740178f1691c694ddb4b880607113f31faf88b29b7330c
SHA51270a650465d20907a2bf5f03dbb87599a7e5585bdda9dd3a588552fc5d8650499d95232d7e67e72a6cd8e5628c6ced5a6c67a85ad7cc63da45c9d00d0cf7ef7fc