Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
9d5c0808f0a8eb112f4ce760ed2aa9f0
-
SHA1
191567378cc75b1478e5403779e80bde5d79b1d7
-
SHA256
0380232dbeadc88e7dd49a6682c74a9876d560eace983f94236d69059c7e367f
-
SHA512
99d7394d79335ddd7920953b44792a4a7ad296caf33fe48d644983de63fe1c2bd8cf5ecf1c85bd2f2ba0366ac8344836a34dac67377d3afbe2c8a99eb232a4ac
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpobVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecaopti.exeadobloc.exepid Process 2996 ecaopti.exe 3184 adobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5K\\adobloc.exe" 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxFH\\bodaec.exe" 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exeecaopti.exeadobloc.exepid Process 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe 2996 ecaopti.exe 2996 ecaopti.exe 3184 adobloc.exe 3184 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exedescription pid Process procid_target PID 4236 wrote to memory of 2996 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 97 PID 4236 wrote to memory of 2996 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 97 PID 4236 wrote to memory of 2996 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 97 PID 4236 wrote to memory of 3184 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 100 PID 4236 wrote to memory of 3184 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 100 PID 4236 wrote to memory of 3184 4236 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2996
-
-
C:\Intelproc5K\adobloc.exeC:\Intelproc5K\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:81⤵PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5f5bc7ea8c794e6c5b72ab6abae620a45
SHA1eba964385d9783283b1e6546b7beb736c8ca42a4
SHA25608ea013d6b9a53c21e014e886427827915992c95f5f8015db312a4b369862758
SHA5129aff61d654ec24f96122c36e87117b59e6853aa6c0b282e474dfec2c62dc160a14dbc26faa2b908ec8114b092a0ef468e379c5c661fe3bdd216a96ca04f560d9
-
Filesize
3.0MB
MD5a29f3cc4ff289c2fb7c39f965f4fc643
SHA180ec429b2ceeb324430391ab43fe9050aa0213e3
SHA256c762f5e51e232b733a044c3d01784238c45ef2f62bbfa1f73f9848872b1fef56
SHA5124d6b6c6d3e95e3e795aded48f95155b108da9c242ad15acb826e05b394fc78ac2b38796334dda3513c53c222d464b7650f4678a4b88c239cfee4f602074742ce
-
Filesize
3.0MB
MD5f1e5f149efadcbf4afaa1992e07765ba
SHA1d94e764c81081c55e6f5ebc65c5639930eb86bb6
SHA2567269ee4ba5b63ce71e9721865c8de8696df4cb2c0c09e5c4f2ebf1fe670ba1bc
SHA51231087278344054c969eea5bf8123a1dd578c27612adabb511c6db3623c1c0604e35abde9f1befbd234a84d30b5f87666e1e4a10cc8618f4102afdd36f2625516
-
Filesize
204B
MD5e92d95166461c11a5e00305671ce87cb
SHA128048d21767b4e77a07c303ccf0e69d3d852a683
SHA256a0f03e133b333ccbc52c08180af754c0a49d447b99dc3aa18f77256199cb16d2
SHA5125cb6582bfd4cee799e16eea40cbf2374b5f41e6d014c5cd78365d9913cfa403a78c888365cc0c691cdf561318633181f1fa258c7922af01f3d5c7bf9a7a901f4
-
Filesize
172B
MD5df37aed07976dc0b25dfac7beb8cc45c
SHA12fe2e045eee4186739f556f9b1dbcee2c8d66900
SHA2564111f43db30fa882600b003d64d318995c87edbcff6951bc1be313731adf483b
SHA512e846be3ced9ee952142c78552e93899c51242b0cd023843f291d1f6018a5fb637247904bf0694866562593e833a0f27fd5cd2aeee5adea7fcc446ee76a646713
-
Filesize
3.0MB
MD5c9ed07124c6fdd005abd086c419e5c92
SHA10e6a17b0e0a4511212a1e3282b11ee8339784309
SHA256a974fa195b133e305d1b1879a05c4578f22b057e4fa9abdfcb87660bf850428e
SHA5122fb60dec39c66827fabbc68677a9e6ce9c1d19bcc0fabb3bb10393e74c6dfa2521ca6f3c51b7b169474fae3ef83e27c8bbc95c0dafbd5b65f0ce73265d6bdbbc