Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 04:28
Static task
static1
Behavioral task
behavioral1
Sample
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
5e7e5d3c8a80fe057652c13e56c93a50
-
SHA1
fe47b778a672a59b06f7ce51e46c9a0bad9f2ed2
-
SHA256
9be5b7b524ff18cf38173c94293f03877f927eef6a0667eb73694d041a32bcf6
-
SHA512
f352480b65cc7bc075e9f1542084f49ecf8a070c0ce4a11ab1786473dfb9058d81ab62834a5023a7e5f63cbe744fb9edd8a8cb814fc9667de7d1e2ffbad8584b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
locadob.exeaoptiloc.exepid process 3020 locadob.exe 2292 aoptiloc.exe -
Loads dropped DLL 2 IoCs
Processes:
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exepid process 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7F\\aoptiloc.exe" 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWP\\dobdevloc.exe" 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exelocadob.exeaoptiloc.exepid process 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe 3020 locadob.exe 2292 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exedescription pid process target process PID 2024 wrote to memory of 3020 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe locadob.exe PID 2024 wrote to memory of 3020 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe locadob.exe PID 2024 wrote to memory of 3020 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe locadob.exe PID 2024 wrote to memory of 3020 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe locadob.exe PID 2024 wrote to memory of 2292 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe aoptiloc.exe PID 2024 wrote to memory of 2292 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe aoptiloc.exe PID 2024 wrote to memory of 2292 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe aoptiloc.exe PID 2024 wrote to memory of 2292 2024 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe aoptiloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Files7F\aoptiloc.exeC:\Files7F\aoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD56fc8cd47a3e8a1699d03dd51e7fdd4c2
SHA193630aba3d698c8637cb97a88de449622fa0c39f
SHA256bed36c75f455fb5c4c5aad376bd76b97574cd50a0b03d78e720d4c40bf15d934
SHA512ee812162a26984ebf745ba91a6710eb3b7bb51d0789e9c0eae44eeda1923ec1de561ed61d3888f1ad4b598c4a22cbf0fa1593fdd5d6aace742a007d0570dbdc7
-
Filesize
3.2MB
MD55c7cf27bc3b44e30685de7b71ab52397
SHA19a83be6d15eb6ae10f7660f8e5265fe4e7acf694
SHA2567484a101190b1fceecfb9239970553749da2e768ff3343b866a84c5f36268268
SHA5126139de0bc101b676a2573fff4683e4884179dab1b4f3fddfdc8efbb709df0174e3fc6f7c757094a530d2cbbccda5b9003dea15a1e2a6d43c578b3a93ef326c51
-
Filesize
3.2MB
MD5b3b7c323c5b11df7d0f41b45264f01ac
SHA14a24cabead58e8527c3a2a67b74d4a0662119e4c
SHA256f07205beaa14d527d3941ea8cda840637e5e61b99f80f286745b18e13b9ca1ff
SHA512301e2ba6ff2d1f3366a06a9dd8aecfccda334b46ca2062fe8ac1fe0b4aa163d70e2d02a0c0e7b0aef27f4193c638d2ac7141a04361f41e239344ada50842b9b4
-
Filesize
171B
MD51137aff61d3e35640787d47fc3dd3f45
SHA1fce1559eda37f49d9c4d399cd2dd030826864545
SHA256e92c3998425357c2a5ae3434350c36aeb3f27307657c4fadc13b2f935e58ee8b
SHA512a35b9bfc15f6e7794b29c84f1a78f6bb1b18ea1114b577302c322a091e16e61fecf0ebfd6310872ad31bc501e492ddd1a051b0f1fbe59d0a44da162ebb380f79
-
Filesize
203B
MD56f886862188a350a00ad2f6efba62573
SHA1d453b1736e323936c824193eaf91e13626f0e2ee
SHA256b470a8a86d27ed907240eee705f04686bf504a5fa2ad03557d205ee9616317ff
SHA512fbc29f9e42d3084e2e7a3fcb27e72307c6fa66daa1e1d96832d799eaee616304fcbefeafe0f04568c908e96a4c6f4be2f7bb213854c29f14ae0cbe095fb8533b
-
Filesize
3.2MB
MD5b5e100cf2a6b6381aeea3ac9fb8fd7cd
SHA16024cdc56ba5c73999c7637a32717a26c2957a7f
SHA2561a66d894f9d97c6ab25b66b247c8777cbd240fa8c42b202ba412715cf900452b
SHA5128246c92ef0dd117c6d40cc0bafbc8fa9be784d783928f6e7e4f48c666ea95310d0b615db28e6040706a40fae0abed087c7a3786c6a4db6ce0a169e26761342ff