Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 23:52
Static task
static1
Behavioral task
behavioral1
Sample
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
4e162a2042a856d33ab3989d2572a600
-
SHA1
325acaa411181457eec41cfdbea6cf558354be7e
-
SHA256
1ab17e03fdada90dd88aae5d633dfefbc9b2b213be9d04a3cece47398026d5fa
-
SHA512
349614707e46c13d4f970cbd19b620d5b8cfe4dfe48d21296ddab97088ac58d7f59904c4cfc4e548bfa9008c9cd2a78a9b97f740a97c1197ff8295c859ad5be1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp9bVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxdob.exedevoptisys.exepid Process 1664 ecxdob.exe 2072 devoptisys.exe -
Loads dropped DLL 2 IoCs
Processes:
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exepid Process 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotXY\\devoptisys.exe" 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4M\\optixec.exe" 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exeecxdob.exedevoptisys.exepid Process 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe 1664 ecxdob.exe 2072 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exedescription pid Process procid_target PID 2424 wrote to memory of 1664 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 28 PID 2424 wrote to memory of 1664 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 28 PID 2424 wrote to memory of 1664 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 28 PID 2424 wrote to memory of 1664 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 28 PID 2424 wrote to memory of 2072 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 29 PID 2424 wrote to memory of 2072 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 29 PID 2424 wrote to memory of 2072 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 29 PID 2424 wrote to memory of 2072 2424 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
-
C:\UserDotXY\devoptisys.exeC:\UserDotXY\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5cd598adf86d0e01572972267873b2672
SHA143346a554a6277092fee77f94682bc9ae7549f25
SHA256b64893bfacbbeee7886581e12d7b83ddc95bc91c9d3ef58a86b848bb2e1f1852
SHA5120f57f456c7e6af19e94695df38983b251f81abb9e47a31d8831e2f4304c09e82a8fbc1a4e554b2953902823321f54588e066c037476376cbcfbcce8f98a06846
-
Filesize
3.1MB
MD5983d91076d128fa70e4fb2ba14553c2c
SHA104cb956b20379f1db25e5581502732551f85e2c5
SHA256bff44e1b659ba7864f41c14ced34ea5b9fa9b3b4f89337d27917b0e001691454
SHA5126cd05e49364df66e0e54731914304020f844278a784867737834ca9ba6a8c618c6a6e11cec13b7186c10ffc0e25f78df387053ab8e86f86f7a6dbc75faac00d8
-
Filesize
3.1MB
MD5a23bcd9bcc2271d3305712734deb86df
SHA1e571d8260c1b11b5855e442d1fd5eae863063380
SHA25605564f8e200042cc920420b1cc46f4d96f7546eeb2a362658871cb71071c3774
SHA51230fc05df0c063c0aa840d5993bc23c5e20aa8b22ded5d7868658955731be0680fdf33e366c720d57764677c3ce1f15b9c5076c38073894a9ee437bf09f990853
-
Filesize
172B
MD5b1be5461e8ed0fdd490776935e800386
SHA1b6de9671a467188583deacda01eb81525692e921
SHA256e5323be30ae88ea7960307cb941a069cbe3216db3010954beb5b76bb5baeb27e
SHA512e43df038a4174cbcb1c3b4e0e7dd889af6af90ede5a01b12824bcf683cc71ccf2fa3a35ed960a0946e8be778b2b9803ee0baa1594e8c455836a4600795d792a2
-
Filesize
204B
MD5caf6408a219965c3a2cd29fc315d02c9
SHA1b5513b155e330264b799edb07f34888765d9cad4
SHA256a3204a8fbf8aeeb5713890f513619a1a2c7cd613ece0946f4cfc30250dcbec34
SHA512f11a3f465b238cb30a221e422b30d92fa8cea42985bed22e330089910f0cdba222f45ad82923ded1a7a1bfd810ccd76e226cd564917bff71c838da0b4158bec8
-
Filesize
3.1MB
MD5cfccd03fb399fae0df49b9a5137d9879
SHA1bbbcba2a9ebcfb47e68efba2d96626e3f540e435
SHA256a0a7fb72c0c48f692e1291597fac4c8a1d7d19c6fe6d601e62d8942c61bc7a17
SHA5125aeb526aa3d8930d46a89e05f00a3c1ecc18e6bf85fb46ce0e106aa0a529c0ae976410d2b4e1e2262fe6e8234621715bc1d2ffd89e5ebc89b7d6e5a00b65dea8