Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:06
Static task
static1
Behavioral task
behavioral1
Sample
3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
3cc47c00cc72e68a881ef4960a223220
-
SHA1
77afc423ba05d7bda519a0b9a22f728d1dc12174
-
SHA256
6183d1cac848af34e0dd5d796819d29311ee895f8f6db11635828b9165c77032
-
SHA512
37a4ddbc3bbac34303bfcca74fc060807d5e09170fec73b161ec2a017bb90b6409211970fcd184ead0831bcc175115f31347bb386e6f0df56e9de68a36cf280d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpgbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
locadob.exeaoptisys.exepid Process 4624 locadob.exe 5012 aoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRD\\aoptisys.exe" 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintER\\dobaec.exe" 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exelocadob.exeaoptisys.exepid Process 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe 4624 locadob.exe 4624 locadob.exe 5012 aoptisys.exe 5012 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exedescription pid Process procid_target PID 3564 wrote to memory of 4624 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 81 PID 3564 wrote to memory of 4624 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 81 PID 3564 wrote to memory of 4624 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 81 PID 3564 wrote to memory of 5012 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 82 PID 3564 wrote to memory of 5012 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 82 PID 3564 wrote to memory of 5012 3564 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4624
-
-
C:\SysDrvRD\aoptisys.exeC:\SysDrvRD\aoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
MD51813890ae3ea9f2197e18015ff9122b8
SHA17bee4e6f71c91b0b575acd3d46d2f7e41c8aadd5
SHA25646e0ce27d3dbd82e299f0ed515128f4762561d8aa0dd0bbd7b73f8e49e806315
SHA5128adc15db5f816602c4240fa0860ffaa4583e31abaa313ed2f039cd52dca7d7f7e3a6957939aa2e9cf4f955cc358582393ddae016e2c23d0c5e86372e8a384667
-
Filesize
1KB
MD581306907a8898717e74eee7fe3ec9748
SHA16871f1f920d712de6120473f387e1497841b3829
SHA2561b17bb743b1a2dfc12895dffa0a7b9b5daf090d66b71008fe29879bad1786322
SHA512205b7de43c582a32ad49cb599becf76511d0269af1df1adea82987826d020f7e62e8b53e8f82da5c2f44154cdac459eaa4fb29ea6b720b0cf9d5e5148fb62730
-
Filesize
2.4MB
MD595b34ec8a31d0ec3abd07d4677803b60
SHA1058221246f7fee09356a1d810b027a0a15ec27b7
SHA256f61247540a7fe46ae909d911bec84442789841bdc14575e7e3d40ad9d1e5cc99
SHA512985f6a747c5b46f25e129fff1877a3b48d271a13c298f30e460b490979d7a2303a2cac51c78dcce969f7ac9f1a6f288a48a5660f5317ddcb07a4634dd7a79499
-
Filesize
3.6MB
MD583ed8cfca063f3de619b965d1c331421
SHA1e32259277cf7f34f1ce26690e8fc2ac17a2069ce
SHA25680feaa2ca102104a04de50981b2302e14bdc1050df4e4e3902a3659355fe6445
SHA512594be7040aefd0a302e76cad7d9e6f4b98bb6d65a1a7c3e15ceb54b3154bfe7aebd494084c1365bd0cbcc2bcd3a4c6327f40f483edcff0a7b1f979330bfc161c
-
Filesize
201B
MD5c9b6cd193b94db01da9adbb25618a35a
SHA19d109148f6c175cd6c65a9fc04493f639368fdf7
SHA256de0fa00a9ce9d52a49b813006b750a572b9059d60a27265056b362ba312c9716
SHA5128400ae86d7b693018e9248c46b79ffdae5878fa11ae52ff0460b52224bf7e4e548fb64c1e189cb79d9eeb692f8a096702191273a5536f2cff1697e2b5cba3b4c
-
Filesize
169B
MD5ecfd3557d2ed18ce4069985ff03ce708
SHA1afbcfbfab8ecd2131a0a4c811c67556f216f96e5
SHA256e3d6a3ffdbba19b892c4fcd928ce0fb87d4af92781f1e6259dfe6f4395e9e356
SHA51216becb18d96627480354947b9a2ae94d337e78f4d92766d77b6aa4794cef9c9dc6e4426d5b38a3dbdf8acd2973a3f299228f3cb88540ce424001def49abc9b8d
-
Filesize
3.6MB
MD5d2f856aeceddd993ddcbbbef76b3e62d
SHA151ff96506d2d6012c91e9a08947805e48287b06e
SHA256ea82aafa160b28ce8cdd67b5a448d39e9fd4ca7655e2b4fcc6df4b3379293737
SHA512977cab8cce9fdebaef6f7cd841841dfb9f75fd0251302a4b27f3a089f13dc860616e7a48a0a648328169a85a6d5d8b8ec8463e6f2fc60c8bb548d19923b1ea87