Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
3fc1c33983231a85fc3007f196ada650
-
SHA1
c61c150a30a71524ef419e192af5cd762a066692
-
SHA256
b486ad7f522a6f07cb1e1862f34b152b75f3dba3f74df1c11c2078dc420644e8
-
SHA512
e42ef4ce75f21cc5d8cfc49d0575bf487f304889c91c68000c758b52585684d30dd3024a565302764a6df6ac4f9ebbdf2bce44c8ce1632fa14bdbbee7fe326e7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 3428 sysaopti.exe 3964 abodloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXZ\\abodloc.exe" 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBMO\\optixec.exe" 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe 3428 sysaopti.exe 3428 sysaopti.exe 3964 abodloc.exe 3964 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1440 wrote to memory of 3428 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 87 PID 1440 wrote to memory of 3428 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 87 PID 1440 wrote to memory of 3428 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 87 PID 1440 wrote to memory of 3964 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 90 PID 1440 wrote to memory of 3964 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 90 PID 1440 wrote to memory of 3964 1440 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3428
-
-
C:\SysDrvXZ\abodloc.exeC:\SysDrvXZ\abodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD5566c66d9aba7cb8df60e8f1f69fc1a8b
SHA11ffb8a15d32790d767edc0d49ad6bc15f2f80f3d
SHA256ec523eddb03366ec9811b07457687a2e8ff7aa167ce92d5f6429a81911028919
SHA512ec163ba4f622242cf4dc1a43dcb79ee5df89255a8abd292d56c9625fe791c36ed33366a0a6ebc0ba0276cda4856bdb7ca7c5b68ac389e20acf0ffd15ee72c909
-
Filesize
4.0MB
MD591f25961fe256f34dcde59073d02e00e
SHA14b77395d9c3fee93e58cfa5b163f7588c695c790
SHA256817f17509713bba9ee9a0ee233a3410110d73924bc161c6a78b269ae5cbae948
SHA512f704df994ca4d26e76d6d870efa7eb4383d92ad5ea8adda2d8311bcc97d15572024d6ef08f87b1d4993dc881dcfeef79b058b57a36ea249f1070031e3469c2c9
-
Filesize
1.8MB
MD539a4cbd161a59cf10827fccffbe497e9
SHA14c01da01e3bc9431358ac83ccbf4b569c8694eae
SHA2567cf45c981155d52dea03b2e73c65d861a46b24c5042a935c2bebabdc97d17548
SHA512028627265e7dfe861af5ca12a239b3df3f09bd7d1aabb725959074afb75b1ad10b8dee01e9b703b9ef55c2a07d62b46359d049595e896dcfebe1600604b6290d
-
Filesize
4.0MB
MD53b374566bfbba0e08a6a6b40c7c757fa
SHA136a73bc782d791f04d53c7cd4668871cf69ff121
SHA256354613db3d4bf06909f37614af33569df31cf7184722788bcc272f327bc0169b
SHA512a930d3cd51e6333a598d7dc6fbdc9f57d054ce917b616e05ef09cdec522d92da1f4446a00d9e4adadd2d6e46e9a4e3bf10173c3a051525ae9068ec64f7e31947
-
Filesize
202B
MD544a511c0019e0b90541263155de0202e
SHA1555715bc4c3e287180203b7134080d22d2ff9433
SHA256a9a0d37efef19e6c40d99a12f3d2330dc579d75aa11ac1d5e8c40a83d87f6df6
SHA512bb54db63e2bbe973f68cf24a8f18ad3ce702a4862af6764891552df8c005a94234bb0bc99d2d2c7fb7140d024a6b22d9419fe621beb71092033694c17ffcc521
-
Filesize
170B
MD53f416435f135c6fa83492c189bf02838
SHA1666fe08d3a6fd91d40f9fdcc1f9881afa0a68c2e
SHA2568f46d89c5d1d8a4dbb51f39d4808a22524d0f4a05446648e07ce55788ea1b663
SHA512930581fb5f1e9173d4f806c34d8bdc415e0a83f00b6738d3bd75cd995426b2580aa749f3688f383c1d88a9157fada78c1c2f1ee41bef5f2f3d2d69f1cc209c5c
-
Filesize
4.0MB
MD5a999a7784f6fb347947a62e02c475a38
SHA189f6864f2e0078f8f52bf9d3df6de6135199f4df
SHA256be6796a212b9f5f783b4258870445d69024f2b42ba14d17ceb6864da378cfe02
SHA51255d596b7ad96bc5a582cbd7c9926a43bc80c71ecb9c7260bd17759b1a58f6a335c8df3e61a8910ee76ec3562886c202aac7260d24f945aad1a0ed5410e3b5d4d