Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
400a6face13f1fb9d5a6cb6140049db0
-
SHA1
b48827a61837d78b608f5389ea755c018a540de4
-
SHA256
9d7efcd09159543f94224209438afcb565240f0a04c11a33d9bd022a705f06a1
-
SHA512
e449299967c4ad0cbc3c92ea3cf3f15c7035c99e913fe6e6625f10a92511c5c395ee9f62c3f2a015074236598d78192c4915bd480d291461349bfff5976ee6cb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNX:sxX7QnxrloE5dpUp8bVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
locxdob.exedevbodec.exepid Process 2172 locxdob.exe 2952 devbodec.exe -
Loads dropped DLL 2 IoCs
Processes:
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exepid Process 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeD8\\devbodec.exe" 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintR4\\optiasys.exe" 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exelocxdob.exedevbodec.exepid Process 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe 2172 locxdob.exe 2952 devbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exedescription pid Process procid_target PID 1976 wrote to memory of 2172 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 28 PID 1976 wrote to memory of 2172 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 28 PID 1976 wrote to memory of 2172 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 28 PID 1976 wrote to memory of 2172 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 28 PID 1976 wrote to memory of 2952 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 29 PID 1976 wrote to memory of 2952 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 29 PID 1976 wrote to memory of 2952 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 29 PID 1976 wrote to memory of 2952 1976 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2172
-
-
C:\AdobeD8\devbodec.exeC:\AdobeD8\devbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD59e975c37e7c7a1aad16585c7e35d52a0
SHA11a06478eb20271911b7568436a54dfbbc8a00ba6
SHA256d58048d54d222d28cb1823a9361f38c97fcdc30cd05daa47b7f893879a4241e0
SHA51283a867e6376a7907718535f838bfab0b3669c510bfab36263c1bc129ef4fb19b22b10788c354e64f9f5b47d1dba7d0ea00b162679b21154e32f2f5f2251553e5
-
Filesize
3.0MB
MD5bac4a40967d76c1b473b8fa622fc4ea7
SHA15429e5d703ca6eda5958fdcb76d381eaccebd723
SHA256a0817ed4cac64f7e915c6a2be51250b4d8a3fb68e50fde65ec96931c9401ffc8
SHA512d046a678dc5f0e31e0dfd42b79fcbccb3a59a13d3cc1c7d387e53e194bf9f458b238e9b87f6748c8f1d27e66aa2150696b3baee0db9d4b7a15ceb2472f7a7455
-
Filesize
3.0MB
MD5b854eeb81822e822d8816a73ae35804d
SHA14c6402efb465f40d65c737368cbd7a8e43a8871d
SHA25620fb6310aa26757811e6c13f8da31205618beab4e3568c341860de34bfef9edc
SHA512616e90f91085e6206118b9d22e09b292ad58d1e2703c4836b77843dd3880e1cf407acb875ffb885c8b4f33adad5fa9dce35fe2f40821039e63417d2535afc0fd
-
Filesize
170B
MD5780dad1329e5a0514260b30fdc670802
SHA10a2111b16032892a179c5b25acab0bbbe2b9d03d
SHA256aa79b147603ccb5271e88b84523ec718c7e387d05281541eda4cd6a8868eb713
SHA51275f2bd676715e67101fd33c8b83fad363222b1d4ea301339e0e4a84d7ca704fe98658dc8374fa9312b3b94ea6043c5d2ab3e4ec6e7e5d06a2f37f9d48b82b05f
-
Filesize
202B
MD56b1759eacedf4abc0795c2008b8c87fa
SHA16af814273ea81115f359ec8829383e77e865b3fe
SHA256103a4e278c5fed08d89962af7f83b4c3976ad2f1f97a87bbc9cd19b44ea772c0
SHA512b625b2d8d8dd9283f114bdebd8777aba6673b957deec36a39f7cae611fe4a5dbd57574b831690ad9980d6e735bf59371941cfe9445d8f041a3393cd384451fa1
-
Filesize
3.0MB
MD5ce4c119122a8085443db7eee9c589368
SHA18ff8b85555ac28a4c993fa8430da15d9fbd8aaba
SHA256a62bb65a18e1bba520804f71d75a1e21ad852feb9b4d746d96ce91ea1d88112d
SHA512d54cad9c6d6deca6b771c870dc9fd454d0e27012d2b9cb22f8bec0f2c6c0105d8a9c1f713c8e9be06d85e3c5f2201617f42854237d89c26830d30c0935359114