Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:24
Static task
static1
Behavioral task
behavioral1
Sample
5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
5e1c8de89597847d39f9443b7bd03160
-
SHA1
d10c16c03ba59aeb9a0b2d4fc5d9e4bae428ff53
-
SHA256
bed0368aad6f2dd8cc6c15bfe538b4c87997c79ff4873d47b2a6f2f292cff3ec
-
SHA512
b6f4d75a44e3d23666e3fd8f6b27255771869f6bf015a837289602ae31df63c818a8f3f352b6e322352f3d78f6e0c070fbbc45c9a4aed926168331dba444a756
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUptb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevbod.exedevoptiec.exepid process 4524 ecdevbod.exe 2168 devoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFU\\devoptiec.exe" 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ36\\dobdevec.exe" 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exeecdevbod.exedevoptiec.exepid process 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe 4524 ecdevbod.exe 4524 ecdevbod.exe 2168 devoptiec.exe 2168 devoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exedescription pid process target process PID 1632 wrote to memory of 4524 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe ecdevbod.exe PID 1632 wrote to memory of 4524 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe ecdevbod.exe PID 1632 wrote to memory of 4524 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe ecdevbod.exe PID 1632 wrote to memory of 2168 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe devoptiec.exe PID 1632 wrote to memory of 2168 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe devoptiec.exe PID 1632 wrote to memory of 2168 1632 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe devoptiec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4524
-
-
C:\IntelprocFU\devoptiec.exeC:\IntelprocFU\devoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD5c4f83f89913d922645c736eca3a7d7c0
SHA1e7abf0d004e66cd4e9bd82cad6027f5257f0dccf
SHA25671d500d6c794da9230f8dde91cd41d6de5af59fea5eb4b1140e89914afa08bde
SHA5121b93dac85ca2e7713977cca57705fdfeeb470dc1d9b72eb4858a2f5d30ff0c64b234425491f7576f3afb4627d41391f5237bbe75e3a8d9c9913f8014e505d595
-
Filesize
2.6MB
MD536dc548713e327e5d194c946b1dd8b4f
SHA1667a693c695074b8e496b9c1b4ceac8fb16b96e4
SHA256926cba8c61e26c002f29a068df048b89bd76366e879c7a10dfaed734d17932f8
SHA512e007655f7fe1ef74e390f3e8c61488b837c467de24c5bd2b452c0ae83eab70f5c1fb54c730f14e4a3746f931ebc37852d4d5c50bc722540fb75b5e9b790a398c
-
Filesize
2.6MB
MD5b42aceeb7d6026522214786e59f568eb
SHA1119a53f62efdbe60109ec165bdc5cbaa4e1f10fd
SHA25682c2b77061151e3f5388562591a5f1b5f429adfbb897ebe184f36ef36de58549
SHA51294949c4a45c20eaea2c173b6adc340fdc31bedcec3dc915f90eb31ea2bb850f1345592ba93330bb023829cc0a1fc5738070b12b9b62c94b70395b05537d7ed79
-
Filesize
1.1MB
MD5f23ada096c7adffd47957ad97468d399
SHA1c50b77a9a9105b8ffe2684eb9748c4aabb789354
SHA2560122af29b48c157ddfeb2daf79d543072119c7368fa0a811c2d35340416fa3f3
SHA512bfa83b3b79ea4baefa4e67423807594b627d0bba13b99ebd51a22408dc1d264b4c20b7bed9acb7ac1acac32e5d16b2403195e7422a4222128a7605485ad410a0
-
Filesize
208B
MD575e17df605a4bc141e54df12e60868b2
SHA1232fa44e3890b2f0df87f200ae265ce725cd46dd
SHA2566443b15bf2d29e46fb5a6c52849617558e90d67ba048b6232d7927caa2dabbd3
SHA51274189d2fd1e3737c1bf396efc28a86cef76faab9ad675fe97820e122f062a3742e7863113efb684c3ab690e02ccb40b6c2dffade4c28c95753e3f6ae8c961ac0
-
Filesize
176B
MD5e90df232ec7d919d78029857aca3d7db
SHA17b9b5d60c8e33ed2cd164ddc4d358c6c2f0d8dc4
SHA25623410bcbb8999043cf573d56f9c415ea408cc347835db57c45db417d7e9d4ad9
SHA512f253f2bd85c49504700e81e0a08f015e4529dcfe8c8c32fe36b0141e87d8b3b281ef1b4f2b3a8f70150d7b1d8307e0fae0e1a3ca59913f409da9750611786599
-
Filesize
2.6MB
MD588c42fbd28eed6898c86e0a12489155d
SHA113569bd81d69f3a43c31bbd8fc2ab050984dce4f
SHA2561eaba797348d4b58df309de541a06cd2a7396ef95a0d32961976f469936b3c04
SHA51252e53bcecefdb7dd8d84528598c2174d18e0bf9dfb9218b42d52d801d761c4ce1c4cbec682955e96c039ae457cee8b497025e0fff45d6e301331c10fbd4b5713