Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 13:36
Static task
static1
Behavioral task
behavioral1
Sample
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
3eaf7470bab5b68d7c069891d99d1d10
-
SHA1
ef12bf5649f38fcfc73aa9d030c4a5d0805b2a61
-
SHA256
a61ce869d228e1e79be2462fa23779dd5a1c43642e470b7ed4232b48c71cc393
-
SHA512
b99ebb867fd982a9cdce2cae7c21677000fdc98e26939d2dcfd3337e88394908bdf022ee30c57f964d0fc44ceab3d6268fc548854840b5b55108aff8166f7e2e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpFbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxopti.exexdobsys.exepid Process 2936 sysxopti.exe 1576 xdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exepid Process 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB63\\dobdevec.exe" 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSL\\xdobsys.exe" 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exesysxopti.exexdobsys.exepid Process 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe 2936 sysxopti.exe 1576 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exedescription pid Process procid_target PID 2232 wrote to memory of 2936 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 28 PID 2232 wrote to memory of 2936 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 28 PID 2232 wrote to memory of 2936 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 28 PID 2232 wrote to memory of 2936 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 28 PID 2232 wrote to memory of 1576 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 29 PID 2232 wrote to memory of 1576 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 29 PID 2232 wrote to memory of 1576 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 29 PID 2232 wrote to memory of 1576 2232 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
-
C:\FilesSL\xdobsys.exeC:\FilesSL\xdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b61f1c7ad73efe910c92dd7a7c9a7a0e
SHA1da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd
SHA256b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0
SHA512224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155
-
Filesize
3.6MB
MD5338e21da131f88e04267b9433fc8e9f1
SHA11c487bc31aa3d318edaeb201b8af6f398082bd9f
SHA256787e05509a1ac83497e00c8e37d18af5813b7e36404adceea2fc5b1a634d40e6
SHA5129832ad7952dfa453eaf8eec5290f9f7d971c496cb5e3d0ae080f8de99269150514ea35b7144d8d40212540ed09787400352f671a6fc902a9a416f82cbbb4fb24
-
Filesize
3.6MB
MD5e830087411efdcd6ee7c86ff663a5dcc
SHA1a26be9dc1772b362510d64e0ceed869565401b47
SHA256f3ba3062e8091c7256301e0fe003d44f1167b146992ecc60bb0a92b002155bfd
SHA512028e3fc2b442e81b99df14b9c27cc94065ed5cb7dfb410042e36cc381858f7736a160a2b1de6ffddf6a5ce02db3bf154a48376bf8179372c04063bc32051cb19
-
Filesize
170B
MD5effce113e232459b6e0ccc582f352260
SHA1b1893084bfe742fe7f99c3ca9a05bd13de2d5033
SHA256cfceee15d97b25c12f6a7b512bf07571b24e014d24802ed00532d698a30d5009
SHA5125571fcfbbeb5abaa733d2b1b68d365c1bf9690a1514667d7f1548ff58d20675a62fc3eb5f9ac1b47fc6200e9ece64b199cf81631c252d4cb4e2cf481d86267f4
-
Filesize
202B
MD5ebe2d7a152f22413bfc370203096cf17
SHA117c915a1514693a9ebc48f1be09c84553f3e388e
SHA25646d7cd789c128c1fb151b269955af84a8290542274b7c600696f7b1e49f464c2
SHA512172eb29337559035308804c6aa29c12b2cf15baeeb484b521088c03a104d83e2dcf0722189946eb2a0eafa9c9a15783ca3689071b3841b50f1df37d44fd0f61d
-
Filesize
3.6MB
MD5499a197d59b4f620aa5e88cce177318a
SHA1a063aabe3234b3084c92d75e007a6cfd11ce6bdf
SHA256f9deed4a442c94a7512671c42815529567b46e407451cb1be0c9dbe6fb9796fc
SHA5126417fb4bdf4ba3ea7ebd03233a68fd46c152482f379d0efcdf11f275de19276dfefce33bfa9aabb723e16c4a3e90420e4afe25b27176df41d78ab52ce09ab7eb
-
Filesize
3.6MB
MD5ff85a2645af6bcabe5a075ae972c94c7
SHA1137b63dd09244fe8dd14aeb386deb733dc3b3ac5
SHA2562e5223f069b5231815808d8db240043502d6bc0ab273e1a167edf2855b61737d
SHA512b6b2d29d91d19cab288bf19740419d54f5e92bb69aefedaab4bfa496bde47863b1f1edf095ad99a3e23d2f3ed074566e4a6639942b92bfc30ccc53cdd6ff98f3