Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:04
Static task
static1
Behavioral task
behavioral1
Sample
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
3ca6e86a4c59ac5490197169c427e720
-
SHA1
ff47d9977811d55a4402645f2e0fe97dfaea1563
-
SHA256
5005583fa4f8c5871a75859089148fef2e945b754405f7df5fe22b5e11723c8f
-
SHA512
4ce3c441ff80e13f47fb2b4e6c94fc0365ef568dc207726fd6337c61191a611bc92b5cb03b5b875017cf56c0422c8bb917154d304ea2a809d9c9817a998625cf
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8:sxX7QnxrloE5dpUp3bVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevopti.exexoptisys.exepid Process 4576 ecdevopti.exe 3960 xoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7H\\xoptisys.exe" 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7B\\bodxloc.exe" 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exeecdevopti.exexoptisys.exepid Process 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe 4576 ecdevopti.exe 4576 ecdevopti.exe 3960 xoptisys.exe 3960 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exedescription pid Process procid_target PID 1312 wrote to memory of 4576 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 85 PID 1312 wrote to memory of 4576 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 85 PID 1312 wrote to memory of 4576 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 85 PID 1312 wrote to memory of 3960 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 86 PID 1312 wrote to memory of 3960 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 86 PID 1312 wrote to memory of 3960 1312 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4576
-
-
C:\Adobe7H\xoptisys.exeC:\Adobe7H\xoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53f85beaf970f439cbe76075586c90e81
SHA1f71045bcda4a2af38e332e1e38bf7009d0421a3d
SHA25677235988fcad75b5797d5c575658143c5738f6c0b65b64fd1f7d39c2269f6a5f
SHA512e6f2857635855be8be2b16a057239fadcbd7c8239a1c2725f4bf8c03bd455903dedb91bcdfa625e1ad3360af80a7ecdf887c52ae96e7e2c97a52da4e19f93a1f
-
Filesize
3.6MB
MD5cf6ed2bff14a722e416a6a998e6c7fc6
SHA1f584847591f7748a78f4367f61e58d0f73f0b6e3
SHA256044133cd5ca4ecd39634a17212019beddd0a8023da7e01ba86771e78cc97746a
SHA512a9a81f98a4d88827705bfe087638c7010f4ef840a41f3e15b83ff72ad21a9483a79f810031c404333a154c276322421bd5c4588d2f68cc9b10900aed75d29f57
-
Filesize
243KB
MD5d485821803759891c719fdf3ed0e8d7e
SHA1867ad8cc0a3483b517078aaa95346df470093355
SHA25697f90fb3f83bdcb5fa1f3f975ef440c8a3f70ccd0e3229e39e22a32b27db4a15
SHA512a88615e54d1e8eb453f1e3db6c6fdfc57b9cfd77c248018a37f7d7cd81b6b54c5f29e662e8b075a17e2cd8c8ec417ab6a0f527223ee84204243887ce2fdf30a3
-
Filesize
303KB
MD539baf1bd01bfc2eabebea56223e7f3e4
SHA1d7f8505ad4245753b9ce1fb673d4bf24fe478bc0
SHA256a17c9d4589459028432b687ebaddf2538f65a939ec0f9c2c1b3506b41273efbc
SHA5127d74fed9cc93c97460701b53edd28803726d38b9ef4c043796eba33ed5d394a80bd5025611256d930b894bbea91ce5ed4c85909569bb8f2836c60275f588d97b
-
Filesize
204B
MD5b7d4e789dbe8aaff0e22005232d66884
SHA1561bb99b8bf60cd817be81e70a1514013689ff99
SHA256c7f42ff3fade416c4e09e9cdebf5138afb6512685c9b752d71f535446d8d5eb9
SHA5129772d0d833083c9f49d10d230410304c5e2cc1c361d08d88fe665d101dc041a8ae5b7a388fe62086ff833a6ad91f22ebd3d616e985b3b96f7705ec292c1f2943
-
Filesize
172B
MD5ffaa8f5b267d209a4b61366b458b0679
SHA17f9effe04f4a1de5f0aae4ef4659ae94d7bf9264
SHA2562d43757e34c4cc2f430a8e4d5c4b3109a2b226d49086e751cbcacf0cbec4cd56
SHA5128ec34760f695bfd5effabade3d4d982c98fa556379f058d1590b7dafbfae5f0fef4cc33e421928739582a603855a350b6fc71fe2df5e50df1a8c630fb0eb8213
-
Filesize
3.6MB
MD5513a5c2f5e70d6850168036eb4a6dd73
SHA1bfa00843a4ea9e8a9e4ac3c36e0c3597cae95233
SHA25688a82acc196db2828f959b059f76595fd33e3af9ce85e9a10dbb085084d3849e
SHA5127950a78aded65ae7cf50a6b136ef5f41ad6eabf188a2596ed16965d3b71deba501c5a5f60b4559ee0e238d97a8837b0888889ec01d8aa73ac118ff23a6b7ddc6