Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
9d5c0808f0a8eb112f4ce760ed2aa9f0
-
SHA1
191567378cc75b1478e5403779e80bde5d79b1d7
-
SHA256
0380232dbeadc88e7dd49a6682c74a9876d560eace983f94236d69059c7e367f
-
SHA512
99d7394d79335ddd7920953b44792a4a7ad296caf33fe48d644983de63fe1c2bd8cf5ecf1c85bd2f2ba0366ac8344836a34dac67377d3afbe2c8a99eb232a4ac
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpobVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevopti.exeadobloc.exepid Process 3064 locdevopti.exe 2684 adobloc.exe -
Loads dropped DLL 2 IoCs
Processes:
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exepid Process 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotG2\\adobloc.exe" 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidC4\\dobdevsys.exe" 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exelocdevopti.exeadobloc.exepid Process 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe 3064 locdevopti.exe 2684 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exedescription pid Process procid_target PID 1920 wrote to memory of 3064 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 28 PID 1920 wrote to memory of 3064 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 28 PID 1920 wrote to memory of 3064 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 28 PID 1920 wrote to memory of 3064 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 28 PID 1920 wrote to memory of 2684 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 29 PID 1920 wrote to memory of 2684 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 29 PID 1920 wrote to memory of 2684 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 29 PID 1920 wrote to memory of 2684 1920 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
-
C:\UserDotG2\adobloc.exeC:\UserDotG2\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD511c6f7b491242aa462935a3ef78b171e
SHA14b01c616a153265345df52d1910370733932e0a8
SHA256c13277708cbe461da4c9a1b9c7d16ebc29f1b173c7ca6b0f896ad6abb8521cae
SHA512c296b3562f1c108d2098c305de3a819b335447fcbaa79dc452ccd5ec06053a10c1a5122e187fe85b58604c2101695917a2c0bde136b7f674940723b8939afe4a
-
Filesize
174B
MD50f7a062f8ea995bb11ae87b1241bb0e7
SHA178556408ed1096351a575905aea5b7a76b7a9d8e
SHA256f2779a45dd4279bbf3d5963a705b35a01c0aa48f68180283ad2fb8db9d125b3c
SHA512b848a9b13a26613a200d6f7617caafab3b5bbebc56a1e551871a6dac8f15dc5430ee2851faf0a238adde4171e08b93a2a2f23e9b3b9356a844ba6d8eb4871336
-
Filesize
206B
MD582b1b9f878a0e9b95503e771fa2a2003
SHA1f49f8d13356f507ebf1a0f7191549b4f998fc9fe
SHA256ff65f77135ce7aaba9ba6cf45d735e4df788313bb17ecd6f5c9c32836f370cc7
SHA512d511b8d22cbd4c22161193a684e2d3b6715ddd7cc89eba623458144e164f66c2aadb4bcf440b50fcf609d3490b5e62d02e2fc2710d6f150e37b52e4e28e2762f
-
Filesize
1.2MB
MD59633205f6fb606065872fa55feb79034
SHA19c54f73a00bb4588979196626fd55b8526a9db5b
SHA2565e5067d38d9e7417c593d2a31629c251f9dd2d945ede02ae0d89e317a17e6246
SHA512d0dad4a65346563ff0f753701d0dc6faeb14fbf149a433ea3a9842b23f0e193adb3f11e554af5b6b2383dac7d18bb38bef720b1a548cda8014d12b4c6d6fa516
-
Filesize
3.0MB
MD5a8ebe1833e05952416c24df382357d31
SHA12f6f32ed1e1720c06d0c6a8d426801fbb8bbfec0
SHA25653d29f4aacdab3ba1d431238ec5f9e2374a2a1579c244465cac03cb5c339d6e3
SHA512cf94a1943e653e5d28d11033376d879373e2f78d2e39e034fdc4060ab6e05c696e152528ba65d9680c069ede44a1448fb87ef3c917bbf9ff0007795e56a16286
-
Filesize
3.0MB
MD5648bbbfc26b0353d551b8c378348ccdf
SHA199c022df045b34f349bc7bcfe2566ec41b174072
SHA2568d3cf0381201b7852b517bb9df19d5ca25dff683610e85d0e5f165eb62e3a36c
SHA512f838aa28756ec41a3ce89e52a17612cc2d7c9157fe186e1914f9722c15b8a016c1dec2e2197b0455b6d51f299c0cdce985b14c80752513d1ddc6e377b764ab8d