Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:40
Static task
static1
Behavioral task
behavioral1
Sample
9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe
-
Size
4.1MB
-
MD5
9d65b7377b97a83b5bf897b308d5b800
-
SHA1
9733be181d56d790477cfe43bb4b2322b3301949
-
SHA256
4b893fe9b796bc711f72786faa1212eb22105fb825643abd1ff41f112e5dd14d
-
SHA512
f9a95fe28f296b393c8cdd08956f2cdc60ecc3311996d7c821a6b7a69501a64906d482bd79f7179487088899038028676a7089bb8a8254f1e1e6e7ec95a0c758
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxopti.exedevbodsys.exepid Process 2548 sysxopti.exe 2712 devbodsys.exe -
Loads dropped DLL 2 IoCs
Processes:
9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exepid Process 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocR8\\devbodsys.exe" 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxO5\\dobxec.exe" 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exesysxopti.exedevbodsys.exepid Process 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe 2548 sysxopti.exe 2712 devbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exedescription pid Process procid_target PID 1904 wrote to memory of 2548 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 28 PID 1904 wrote to memory of 2548 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 28 PID 1904 wrote to memory of 2548 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 28 PID 1904 wrote to memory of 2548 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 28 PID 1904 wrote to memory of 2712 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 29 PID 1904 wrote to memory of 2712 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 29 PID 1904 wrote to memory of 2712 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 29 PID 1904 wrote to memory of 2712 1904 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
-
C:\IntelprocR8\devbodsys.exeC:\IntelprocR8\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD55900250ba074ed77284d62e0890a018a
SHA1d83a1ad44b0c25175db048ab41e286cf4a0df3e2
SHA256a19411bbe2f54ccac8993521bb6c067cec19e607e93b37f5f0d75d387642535c
SHA5128e53c958c378b41794a571ff5e050f7b23527abe4b2c90b8c531fcd7dd55f4f6088490f6033237502b6c9302389cf5c1aaeb91e2f087a070fac637bea4131c5b
-
Filesize
4.1MB
MD5ca03fd6860742a82029891104545ebce
SHA1bbf18d2ca3a02a9032b55fd98c3721af0a209abf
SHA25639fbec56b0bad5154187d12b7dc39dc4e93d21ee93b4f5e6c8ff16e6c9f7aadd
SHA512b409896f6466b9068babd07debf67ebbef2433e8199f3a30cdb5cc03996bb367610aaf9de91bb19de10ae92f595f3add6e11058effa1e645bff0b3563fa5657c
-
Filesize
4.1MB
MD577cb9ac04018aedf9d278b1fa49db71a
SHA144f59bbc337149e79b9d373f20858723f0a14132
SHA256309ae8f5532fb82fde6852d82a18ca118b41f42b3874743db2a8602c92f03242
SHA5128a1f0f4b25e793580330fdb2eac05981c52285fc0c7efe2a897196c3b37113824c84f6b41dd80cc941a5c33ff8c823bc23988fb9004d9fc55a702ff55bd095d2
-
Filesize
175B
MD5341207aece3fdcc218d65f0ec79fbc50
SHA191c26bd6886895fde49ffc067849ed51fb6b12df
SHA25631a3c64329f2ca70ffc7ff6f2737f872e0678eb0a20729b4053d9b29ca52e760
SHA512752bc02bda4ef67a4d9b90dce5993f431615868ce75ed68f5757883ada3547bc9a8ceff45c9dea652d66dcd3de571c5be5fc558a8114a2bfbaeb2e8aa33fd4d8
-
Filesize
207B
MD5a6e4508c8b67963edfb21cd2139f3a6b
SHA1ce696f1ac6e1935a517211f2f4efebda95daaa73
SHA25681ea1ff5f75c9100a55248c84899df7ac8c59d922366f33470e6644d60ff4fa2
SHA512e185f2f088a47f0e4b3ff592f7068ca4539ba21bffb9f7c7c794dd8675f33451e4016989090acc1058c44005e4cd340280011b2eb80ee0a6bf232226f5882e28
-
Filesize
4.1MB
MD5d579ec0c42aa29c757280912b3d2173d
SHA1570941bfaebd80b6abd1ed8f5e49301143af1102
SHA2563f387c1da43851b94278227867d230563e83465ffa2592b76ae10c5529250c3f
SHA51244b6a29efabf8540ec2e5fdf38287e9b6ff0326c02ac5bdab4df6bbc426b89a7b44951d2ecaaa82f61a50c70302b3030f4a9db993cb479072f967d757e24e4b9