Analysis
-
max time kernel
150s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:36
Static task
static1
Behavioral task
behavioral1
Sample
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
3eaf7470bab5b68d7c069891d99d1d10
-
SHA1
ef12bf5649f38fcfc73aa9d030c4a5d0805b2a61
-
SHA256
a61ce869d228e1e79be2462fa23779dd5a1c43642e470b7ed4232b48c71cc393
-
SHA512
b99ebb867fd982a9cdce2cae7c21677000fdc98e26939d2dcfd3337e88394908bdf022ee30c57f964d0fc44ceab3d6268fc548854840b5b55108aff8166f7e2e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpFbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
locxopti.exedevbodsys.exepid Process 3684 locxopti.exe 1944 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCE\\devbodsys.exe" 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBB\\bodasys.exe" 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exelocxopti.exedevbodsys.exepid Process 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe 3684 locxopti.exe 3684 locxopti.exe 1944 devbodsys.exe 1944 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exedescription pid Process procid_target PID 1856 wrote to memory of 3684 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 84 PID 1856 wrote to memory of 3684 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 84 PID 1856 wrote to memory of 3684 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 84 PID 1856 wrote to memory of 1944 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 85 PID 1856 wrote to memory of 1944 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 85 PID 1856 wrote to memory of 1944 1856 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3684
-
-
C:\FilesCE\devbodsys.exeC:\FilesCE\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5b731b70145c43a143d27cf6848a24258
SHA19263279c18df5ed1f740cd5e37ca036a863ab6d8
SHA256e4d88d91f5fd4ccc7a4a5c7a8ad227c1614d755dd6f631a2dea77b03c94fad32
SHA5125146cbe28e812d8e5916ffa255f644ba4ded9694aba32be3a070b33e42d4f4e9a997ec86c65eb6ae30eba29cb6722e267fea70ce4f509397e3df84394a4314fc
-
Filesize
3.6MB
MD5feaebd34544ee1513e10f8e43b1bdee9
SHA1e0cdd86436a49c8dfa621c02de9ec6484b049912
SHA256b6b43edc8adce647f60eb181e06bc9ead843ab84837e4bcbcb4e89f0deeb365a
SHA5127df3910ab6514cc5154f31a80eed4c2f5efb32e2e39cbc34ba843bff896596002e12052f871df2cfdd63254e71e39f63601aec7ca08afc39d8a5c408c8aaf855
-
Filesize
2.3MB
MD51297dba194a453ff0464617478cb7043
SHA1d8ad7a17e7cf39e03075c6b226067924a2d45a2c
SHA2561ad0fc38588c1986e68778fdd1bcc0c2587b21e777a96e2e9fb3c19b08e0d7d9
SHA512976fdb69bd0f9f51b1a607504bddd780661eb442e4fded5ee51cae8596744560eb4329b116a98aaf47f805f8feaad626818f414af1abd3829f9442e213d82e9b
-
Filesize
637KB
MD5eee8d9f20fee55fd343c4bcb7f7912b8
SHA189c7ad700bee445dbc4be43b2fb57317d3e5ee39
SHA25626cb1d36d435274acc02ccda99098e9aefd225bd6d32c804d59aefcc7568027f
SHA5128c15291604d75db7627b634118fb9ab7b328ae3a3c3de40555d39e098d9b6ac64e626dc713beba41332bb12d8fe130cdeb3c381825de6b3e7639ecd50d37f21e
-
Filesize
204B
MD5149ba287234ec6a6b8169576e1aadfcf
SHA13383e14dbc03c422f744cc35af8b95a4b2d57a3a
SHA256756def2c16ac82b4c460525e92cc52c2c1bcb8f89427c777bb26ba63f7237eea
SHA51269c64453fb4189f79821a304ce86ad8afc303998b0debb9032d7ac03d8f6755d2d87a9b470b38718b894380a2f37c29da35c7fb29e2539ac322d8cd91a3d9df6
-
Filesize
172B
MD59c0335afb7926be7511922ad5b2832d3
SHA1e8ac7ce3e1f7643524cbafc61065d8701d7337e1
SHA256709f48dbd18de4a2f1e37c21b777e0d5f730fcf974959c236fb1d53d6c6a969b
SHA512bc4ca321f0f5e3778535c296bac44d7d719f0707ed93da69f4251100aae0127476ac581ba0de26e0211b58f20e32d7931caebce3573d0686c99445008baacc69
-
Filesize
3.6MB
MD5fc4228d25b96f3b64f21bfe2e509b573
SHA1c80170a5ce0f7cc639f64085f389e687281ea9b9
SHA2561b4d9d5e9409faa5247c5b6a7a96ddb5bf2e60716818d656086e22111d6225a7
SHA512839d2953bdbedac04ce632f9156e39589a0dc88645f156c80115b38b33c6263f841b886f58b4900b5f369dac81ed2f1abf7af6cd9a004ba29150dec706238e57