Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 03:07
Static task
static1
Behavioral task
behavioral1
Sample
2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
2589b0bc32db1a76714c6933a7a5dbb0
-
SHA1
9c5cc31ba7b211e6bd843d6ad2694bd3e3ea3c2c
-
SHA256
8ef24919b65e25209f20c764ea1bfcc1f1e71a54ad321b667e5841fe2429b0c0
-
SHA512
8fd6e80e97d73ee9b4b064a5819a9e1e3ffb48f2bad99df18f1e786312936140a0a44ec40d93e971ff8c1a4218bbaf10762232f0725c46cc1cc92bf48590c514
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8:sxX7QnxrloE5dpUpRbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 4396 ecxdob.exe 4148 xoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLF\\xoptisys.exe" 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCD\\optixec.exe" 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe 4396 ecxdob.exe 4396 ecxdob.exe 4148 xoptisys.exe 4148 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1184 wrote to memory of 4396 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 90 PID 1184 wrote to memory of 4396 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 90 PID 1184 wrote to memory of 4396 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 90 PID 1184 wrote to memory of 4148 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 91 PID 1184 wrote to memory of 4148 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 91 PID 1184 wrote to memory of 4148 1184 2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2589b0bc32db1a76714c6933a7a5dbb0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
C:\FilesLF\xoptisys.exeC:\FilesLF\xoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4828 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:3552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5221ee7d40fdbdcea2d4d34d67b92f295
SHA11cd60bb94224b1477b9950ddeda433f24a5b8ed8
SHA25609ccd4c6ce7bb4580f2c1819e294b7f0d757bc5f72aaa8be60723449c6f9b677
SHA51267694ebe6a8283de72a48eeead8a7880299ef0df656572aadfafeadadad7fbd76417ac5a812fc930105ae2849a9501b0a733ca034f61ad9f8df78e69b7f4f65d
-
Filesize
3.0MB
MD5c0d368c9c16853e59b6cb0558c98f767
SHA1347591b525a5ca3818fefb003e7ca8e3295b0beb
SHA256ce7c82311069dd785be49b8e805c19bbee7b11ff850db34fef40681b65f05b97
SHA512b5d766491d84663e50b34428a9be9a7446f75cdcb730eaf71a59bfb6a9dc08b02b6221142d68e6d2ded9b6ec3540727265360148bcf8be9b8e3dc51e11101024
-
Filesize
7KB
MD584c3a9ef71c6c32cc10faa7a3122fe8d
SHA144094cadec949c065d4321a4cb7bb4c11cd999f9
SHA256de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b
SHA512f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a
-
Filesize
200B
MD59571f966687f3945c61616750feea26b
SHA1bd70921c87666e54c6ff4e4a70e1647760f3f98e
SHA2568458131613a6f9da7018061b89b5f1d5dad6ad5a2895e67aa632adfce4f5b798
SHA512719006603675e7bb09d9bf87648b8ddc135158b2b3b29763340ea510b5e00e3656cbeb60f60b5800aa28fd2782215a87127bb4b5cc272968e56d5b31e3c4e569
-
Filesize
168B
MD5fdbfabc0d4072f43e702fa8f7fa7ea0b
SHA1970c1757168a00b4d416ad9b78a44b8be4cc4d2a
SHA256b22c2cd4536bfe050abcd8476b97a9c8d8aa1b726eae1c6ff5c3a43f33e805e7
SHA512124ecbbcaaea6f597c0ad8f1348679c337e679eb7d5ed3866afc3fbea1b5bb5f0cae5e91edaa3d76a01209d326fa070ea6c6702d5bb842c42b7a82ab38f7953e
-
Filesize
3.0MB
MD56225f88e62be1744cd9f5867beef8534
SHA1ef82d368c9ec776e2d01b1248e17fd820cc77519
SHA256f7af817641f776b3ff5f8e4d977ab66946f0f349be159365717dd3c270d1a18c
SHA512e0de56110c68541eb7da8ac441f4f519a7fea176ccc25f13145c43a266c0f4ad0f0151a3ba58f968ce40455cc5172972adc7e2dcdc51cee27b1b104455001ce1