Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 14:28
Static task
static1
Behavioral task
behavioral1
Sample
c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
c23164dbedc67bcd12876522f55dbf10
-
SHA1
6c2396cdaf58c0b888824c1fc047423f7745b620
-
SHA256
989995251f92b2d1b6d8ff4a588b76f8a462dab65cb4870c0a9dad27056a30ec
-
SHA512
84b376102004559a09427cb6b2c00eb9ac9f15656af892c5c26175fd17fdd793e7f1bb55f466c1264af9f7da983093d87106fb52aa46ac81fdf60ff4779c72c3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNX:sxX7QnxrloE5dpUpdbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 3876 locdevbod.exe 2068 xdobsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ8\\xdobsys.exe" c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHK\\dobdevloc.exe" c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe 3876 locdevbod.exe 3876 locdevbod.exe 2068 xdobsys.exe 2068 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3040 wrote to memory of 3876 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 82 PID 3040 wrote to memory of 3876 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 82 PID 3040 wrote to memory of 3876 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 82 PID 3040 wrote to memory of 2068 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 83 PID 3040 wrote to memory of 2068 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 83 PID 3040 wrote to memory of 2068 3040 c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3876
-
-
C:\AdobeQ8\xdobsys.exeC:\AdobeQ8\xdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD562e4de4827e52e4e8fe55b2fcd327d65
SHA1fcdb059ab96a41f1d04bf48ca65dfdcf7e4f3bca
SHA256da2dc14591bf8663b6ecf1c177e0a163b8cf0d6ff8ada86aefc11c71353b243c
SHA512290fc4e4f83daf9b8bc6eee2c028060b11098a6e8e7c68c754817f70d0dcaaba1a058fe31f9d1a8fb942802209bc116f44d3e1a730e7ec8479087061fea21ba7
-
Filesize
96KB
MD55dfd1fcaf2d285ab6290a78ee4fb232b
SHA11853582e1d3e70c00771909d1a248111fb96ff13
SHA256dbe9382b77f769d6055068734fdd832bfc2e2054079e0de9367deee70af30885
SHA51263e53a2e7e2958406f37c704c339aba76f012a62656a415399a5d50bf6da4cfdeae846921e433b47093a3783791b870dc8ffaf35727136200658b07ab262ebca
-
Filesize
533KB
MD50d78ef5abfb4eca1fc6f05520f401935
SHA1d8671f75ac708a092cfef21c07c22c853c44dcfa
SHA256e5f9e6a959bf7054c5397d9472b01707d0ece7fa84a646b05db0d086ef4e8a3f
SHA512cd4ab201e0041ae0ebea9effc7f415fcf3680021025309d909bd89306d382d428bd41cc2910ddfcf83f7a8f9ebecb43e82f7263863a8c3cbb7e80bbf2b70b95f
-
Filesize
204B
MD5e58fc5a0a2aa67564c0bfdb1669f6de6
SHA18cee14566e0b33401967622237b2bc41f3898f8e
SHA2569f7fc27bcfb84497974f61496545e3eb1107ef9278f8790e1de55e0c74a161eb
SHA51213a55bb7ff58e3435ca6191bb5a2f8589d497982453ff842e6caeccb9eccdb13be51f07a168d3e43e7019c3efae5d1c06ae0665ea6eeab4ed3c1396b069eb1e6
-
Filesize
172B
MD53dc4f0865b013b77ea1c1e40d17dccde
SHA1b83c72c8fd79ce675131066eb3c1252900e2a2df
SHA2569ec26492357be56db6f4c1d9d7d8ca8fcc31958f1ed040e1f1c9e382881bad61
SHA512733c311e900f1581e60888d9bedfa79f122fd4365502b69d21a5750988649cbee2e045cfb44e4b0130d6dac88ba28f332688cfe612c48dc4e228c56a948b3c65
-
Filesize
3.0MB
MD511200c80dd280ca74e2e3c6507ad03de
SHA1501527750bde62975d4c7cdc2ac3439618bb08e2
SHA2562c17090c35150f617c9386d0441e3c66cf5ca233a5219ed6e8b85b35d0a212ad
SHA512d907c9e5ef08d155f73dbbff60ed6f9617777c9b51de5f552008fb90bdc9b48600a861ceb74d7879ab273b8ece91a2167c257cb32ca047c53a0d9976981dd59b