Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 13:04
Static task
static1
Behavioral task
behavioral1
Sample
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
3ca6e86a4c59ac5490197169c427e720
-
SHA1
ff47d9977811d55a4402645f2e0fe97dfaea1563
-
SHA256
5005583fa4f8c5871a75859089148fef2e945b754405f7df5fe22b5e11723c8f
-
SHA512
4ce3c441ff80e13f47fb2b4e6c94fc0365ef568dc207726fd6337c61191a611bc92b5cb03b5b875017cf56c0422c8bb917154d304ea2a809d9c9817a998625cf
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8:sxX7QnxrloE5dpUp3bVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exedevdobsys.exepid Process 2888 sysadob.exe 2784 devdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exepid Process 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQ0\\devdobsys.exe" 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid95\\optidevsys.exe" 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exesysadob.exedevdobsys.exepid Process 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe 2888 sysadob.exe 2784 devdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exedescription pid Process procid_target PID 2124 wrote to memory of 2888 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2888 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2888 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2888 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2784 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 29 PID 2124 wrote to memory of 2784 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 29 PID 2124 wrote to memory of 2784 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 29 PID 2124 wrote to memory of 2784 2124 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
-
C:\IntelprocQ0\devdobsys.exeC:\IntelprocQ0\devdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5db355e50f8db9e5b2c0c6df33eaf579b
SHA15025e1e6d3faf06c4f49aaf8ffb13eabd8688f0b
SHA256c6717e13f79c71f63a1296e8e09eba364d0a0e55a5b1689554a8d61ff37d438e
SHA512f45e0358d9ed596d79da0332fb640a50ca8d9e52fed339f7eed698bb86bce5b41035d1731a048b6e09f3f7c1e0b8fa0633c457386e567997d175346e1fe363b7
-
Filesize
176B
MD5b88d0ab625398d17b0aba6f18964ad0f
SHA1b30e945ca80c2e1805dbadbe8381129a17d9bc10
SHA25665151c82bef73a4081b6085dcc988b45824c27f978a974ff0fd167dbb3bbf402
SHA512bccf85d92eaa4f5a3168cf72c97d3188a7bda83e551c837f66e21f91118a4d242289bcdcdd75a74e213f917bdf661ffb09c2c67b63a80540e29bd9224e75a6d5
-
Filesize
208B
MD536540c1ddd4d5293339dd3bae83466fc
SHA1589101cc087400ffd1a9bc2e27674ee9e1538c49
SHA2561f334134c89bc2c38a7dc0c9ed99eea1b307e32bb6eccc5030e8164e728d5b9f
SHA5121884094807e779ef2abd931206c3bfce4a9cd4e01e7a53f0eb6db15881c68acfb4488d40ea34ba0c281f42968aa24d7c61dbb8d4977525b6509b511e0d4a0719
-
Filesize
3.6MB
MD5b29a72601251746414abc29c606ad768
SHA1514d897cf8590317d32fc72c66fa9d57a0f4d5db
SHA2569eb7276d9be2c5f36e5396ff694f69205e49416d133cfd03421ca930c5884822
SHA512059b99e976870a216b0a5e9ad4b9faead797ccb1c5ffc6f4232ba175d17945a3b08ca85936462f9c5d02cb1ff1a3b4fe4e9d3bf36564ed572c10fd5d6cf5921e
-
Filesize
3.6MB
MD506420e2c319188be1b1755419f3c087c
SHA175da99c9c2873309d43006d788cd586ae3e70193
SHA2568e67cd528e7f94b8e3153cb4e5e4fbae5ceb282fce8219e397a6d141f7aa9139
SHA512253418e5e2e2560c72f232bb0ca122f111274eb0cbac61a59e99c58a9d5ab2ee015ec68c60a72d953e0fa092d9cf18c6180c6e0a29725c0f05792c1feb3a2134
-
Filesize
3.6MB
MD5a63651ebe4843d04a7bf7437df70a4d0
SHA19baaea919f3bd9d9f1de1e859d087a680730a0b5
SHA2560fee5ce2672ff97d9c9364d406a6666513f5fa69d9e2c307fe528d3a13d88afc
SHA512fa0101ec88e32d16830a67ce3b8b09e37896d1d3ac622261f670bcf6a35751dc75a0baede793eb2572613c8448e302433d3990c7a6d2a8d258ea3494386a4566