Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
400a6face13f1fb9d5a6cb6140049db0
-
SHA1
b48827a61837d78b608f5389ea755c018a540de4
-
SHA256
9d7efcd09159543f94224209438afcb565240f0a04c11a33d9bd022a705f06a1
-
SHA512
e449299967c4ad0cbc3c92ea3cf3f15c7035c99e913fe6e6625f10a92511c5c395ee9f62c3f2a015074236598d78192c4915bd480d291461349bfff5976ee6cb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNX:sxX7QnxrloE5dpUp8bVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxdob.exexbodloc.exepid Process 1712 ecxdob.exe 4404 xbodloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHO\\xbodloc.exe" 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidTO\\optixec.exe" 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exeecxdob.exexbodloc.exepid Process 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe 1712 ecxdob.exe 1712 ecxdob.exe 4404 xbodloc.exe 4404 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exedescription pid Process procid_target PID 232 wrote to memory of 1712 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 93 PID 232 wrote to memory of 1712 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 93 PID 232 wrote to memory of 1712 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 93 PID 232 wrote to memory of 4404 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 94 PID 232 wrote to memory of 4404 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 94 PID 232 wrote to memory of 4404 232 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
-
C:\IntelprocHO\xbodloc.exeC:\IntelprocHO\xbodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3748,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:81⤵PID:1176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD52921ffe8a4e8a12530fb478f80db260b
SHA151d864e897362108cffcf37045a159c082c66a32
SHA256cf732cbf467594c808a2b0c7fbdcfff3879f594881042ddc92907815e7ac4f2b
SHA5123b2ede172f3b965b7346c22562d1ee4aa99a8784d9d3ed42e8e31d6b1b4db0a29fcf9ff089b7ae659d3ddfb1d115cff748ef515b4fe6ba08c329e01e0f113b72
-
Filesize
3.0MB
MD591c9cf90882419da245d635275328f70
SHA1db7f9d99dc926106008969343da2d2d93de96b3c
SHA256c09f9e85e482142a4147796a6f7538ff1197857827f439a46fa6bf9f55e86058
SHA5124c197a83b570ecf16b1c5c96ee3209a82277cf1ef9c1f45f431a6a490a82363d71c435f66a240f9845a218b868a821b09fcc92fefd3af34f75f68b938f07f8b6
-
Filesize
202B
MD59510f81ce1d1da57742e53239ed0fc72
SHA132efa6e84c91475696cc7e705217149c72e3cf00
SHA25628361b2b330e347363be8d3a562122f0cd52f5f2dee99be824d8f4c2a9143023
SHA51240751e80961aabb176fc3af31675774484c62fe6737242c9c98ffcb3400c669bc84a30113ecbac1526d61f7276ac3a2625c25917199adee5039334a18e2fd0c4
-
Filesize
170B
MD544a186e229bd51f745b48e2653a300f7
SHA1750a9fd8089b93b9703a990797f9badd1d60253b
SHA256c0914cece68969587aac9cfbff3f69037ff02f1693efb68c26e74f9990d6b1ff
SHA512a58c4adcecb1bb53f8bf250782297489440a8fc73db45a8051724532be6b1c5952be79cb2b3622acda13d1f767a0d4cf382b8c7174e3779b4e748be86da49251
-
Filesize
3.0MB
MD5e7a517a40d84e634dceaab22ed0d64a3
SHA1ae26fc521ee544a4859a1f500cdac3d2c7f71c94
SHA256c34dec97ca67bc3e4c0b6b99445d11cbaeb6ed1f5deca1281672389637a1b162
SHA512cff9ab0f4a31a4f917858df431de7ad373619851356b066352c0e8e8af3f5eec929dae4fa23408f9b986d8a1e0f4f046b72b40c18e0856ad7675ee499b2f775e
-
Filesize
2KB
MD5c5cfe1fb3ffc85f6f58808a90a25e91e
SHA1ea78a58a967d2365305ccabf1b39b6f7b0a0b7e3
SHA25650c90a817d63d059b816ac95af37989df34e48ec70ef2acc583abb3cf31cab51
SHA5125dc1e22ba14edba2a7edf8e9a293b062eaede2c7b009297aaa3b1e6a770471f162799a9e1d7fa3d802fcdb3b64c0c79bb4ebb9ef8c89d0aa31f21e642d728cbe
-
Filesize
3.0MB
MD5ba4f640a21ee5061e0bdb1a1aec8bc11
SHA1ff64bdfb13b631c3ae5756376f574e522fff116b
SHA256961a4b9c7883c1c211c6e53ca0364bcafa69c13fba4843d07664ddf08eb8b543
SHA51228e087d08b87d4f98e2fe30c4d455a0b726d0f2868151c1a264a353934face9b88a1bac9dd3333457f93c58e11d21f923ae008501fe7455911e875f2b6d403f4