Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 23:52
Static task
static1
Behavioral task
behavioral1
Sample
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
4e162a2042a856d33ab3989d2572a600
-
SHA1
325acaa411181457eec41cfdbea6cf558354be7e
-
SHA256
1ab17e03fdada90dd88aae5d633dfefbc9b2b213be9d04a3cece47398026d5fa
-
SHA512
349614707e46c13d4f970cbd19b620d5b8cfe4dfe48d21296ddab97088ac58d7f59904c4cfc4e548bfa9008c9cd2a78a9b97f740a97c1197ff8295c859ad5be1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp9bVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevopti.exexoptisys.exepid Process 3112 ecdevopti.exe 428 xoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7H\\xoptisys.exe" 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7B\\bodxloc.exe" 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exeecdevopti.exexoptisys.exepid Process 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe 3112 ecdevopti.exe 3112 ecdevopti.exe 428 xoptisys.exe 428 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exedescription pid Process procid_target PID 4184 wrote to memory of 3112 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 84 PID 4184 wrote to memory of 3112 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 84 PID 4184 wrote to memory of 3112 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 84 PID 4184 wrote to memory of 428 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 85 PID 4184 wrote to memory of 428 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 85 PID 4184 wrote to memory of 428 4184 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3112
-
-
C:\Adobe7H\xoptisys.exeC:\Adobe7H\xoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
MD53543c1e396994be5e6bbca6203a5cd67
SHA1a949179331a3319ce028d10fde280b2d3f02bb4a
SHA256791e90b8a2084e31c50e95ea55ecf0c4b99a20c49e2ae7b1a5f0d679ff4e4858
SHA51252c9c5d5c16f9f9ceafef516113959565fcdc174f3434d748b4e2d71de81905ed0afee3e5092dec8ccede38b0fb6291d973a15e7367ef717d9dc8afc1e079391
-
Filesize
3.1MB
MD51514c5739dc79fa7e074dfc202469a66
SHA14b843a3811ae464b66ac8e496cbaf3c0fb6d07aa
SHA256d1a01a0ac306f39fa0dc65d271d7f80d63a9c4b93ae320758d95638d97605f29
SHA5129027ee1b867c8be4b2d36b73e616e7f817f84704fcc131bd3d3b56502c6ec2a23c41d8ad65d4043cc91f58bd8af241f20e93225222b60561a31cad5547daa69d
-
Filesize
281KB
MD59dc5258b4d283aa317e1b9eadcf93fea
SHA172eaaa74287a11bd86f9df13853578d7baa745fd
SHA25646797b15b25dc39ca25533f01835c1a807956f1e86cb64124140939aad99b6c7
SHA512ab5c0e5016e8f9cb4a9f2a7e502a81bfa75615208c25981274d1c6e944fa660b823747aa61dbef5299392e2f44698350f859e5ca960490ec7609552043443bdb
-
Filesize
28KB
MD5b2c1da885985d7126ff7db091c16829e
SHA157db532c749a57aa968b1a36590d08090165448b
SHA256d57eb32787d6841d7ed65183a1c8e1f3f343fd04383108086dc973f97b649076
SHA51281ce05eb46346421e265eb6cef7b1c69fb3d8bb64f5c88bf5ba76cfad3aca9e95a6ce6cae81e14884bf072a6ede0b2134bb5a2061cf8d01ca7a87c760284b6ec
-
Filesize
204B
MD5b7d4e789dbe8aaff0e22005232d66884
SHA1561bb99b8bf60cd817be81e70a1514013689ff99
SHA256c7f42ff3fade416c4e09e9cdebf5138afb6512685c9b752d71f535446d8d5eb9
SHA5129772d0d833083c9f49d10d230410304c5e2cc1c361d08d88fe665d101dc041a8ae5b7a388fe62086ff833a6ad91f22ebd3d616e985b3b96f7705ec292c1f2943
-
Filesize
172B
MD5ffaa8f5b267d209a4b61366b458b0679
SHA17f9effe04f4a1de5f0aae4ef4659ae94d7bf9264
SHA2562d43757e34c4cc2f430a8e4d5c4b3109a2b226d49086e751cbcacf0cbec4cd56
SHA5128ec34760f695bfd5effabade3d4d982c98fa556379f058d1590b7dafbfae5f0fef4cc33e421928739582a603855a350b6fc71fe2df5e50df1a8c630fb0eb8213
-
Filesize
3.1MB
MD53597cbf638cd8e1b3865c0832c73f9e1
SHA1315b91825f9dff1ab80ba4591819a05494960581
SHA256c3a40475e296fc0eed01284dc0f7952bb93245e1245ba116c93a45160f385eae
SHA5129dfe956be7799c692d24c05ada67e5e425117fa6100d8f6eb3761bb70ea075492acffb33e32a0fd956e48240e37216d55cfe949cefb7fdcad4195f4bb1cd4d62