Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:28
Static task
static1
Behavioral task
behavioral1
Sample
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
5e7e5d3c8a80fe057652c13e56c93a50
-
SHA1
fe47b778a672a59b06f7ce51e46c9a0bad9f2ed2
-
SHA256
9be5b7b524ff18cf38173c94293f03877f927eef6a0667eb73694d041a32bcf6
-
SHA512
f352480b65cc7bc075e9f1542084f49ecf8a070c0ce4a11ab1786473dfb9058d81ab62834a5023a7e5f63cbe744fb9edd8a8cb814fc9667de7d1e2ffbad8584b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxdob.exeadobsys.exepid process 756 ecxdob.exe 5056 adobsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1M\\adobsys.exe" 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMV\\dobasys.exe" 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exeecxdob.exeadobsys.exepid process 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe 756 ecxdob.exe 756 ecxdob.exe 5056 adobsys.exe 5056 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exedescription pid process target process PID 4880 wrote to memory of 756 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe ecxdob.exe PID 4880 wrote to memory of 756 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe ecxdob.exe PID 4880 wrote to memory of 756 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe ecxdob.exe PID 4880 wrote to memory of 5056 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe adobsys.exe PID 4880 wrote to memory of 5056 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe adobsys.exe PID 4880 wrote to memory of 5056 4880 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe adobsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:756 -
C:\UserDot1M\adobsys.exeC:\UserDot1M\adobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:81⤵PID:3408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5fa61a177e805a66b3ad79bafe5a32972
SHA10b4cfb481372267a29dbbbdd660f5f3476b9fe01
SHA256672e6867fe2287b9c123a1ff02a90b719e60a13779588f1202241bbd021180fa
SHA5120fd2b891368e67198ab800d6ed6cdcd5510ab9b6dccb2c5aa1087c7cad621225f5bcbb0a543b17d59f46e64356cd836e51bce809494059389d324c5c02372e16
-
Filesize
200B
MD5a1d7d4bbacedcd6bdf7497ade07136e6
SHA113dc0b6042cc1dea189c3def474e0c225cdab8fb
SHA2561db3b6d05d1c486a3eec5842b1afb629cc45f734c935aaaffbf1bd2730c67099
SHA512b6f967cf24a3beb39481c61d15c53870a7ace853cb4553151d2fd431c5ffe02a27950aeab282d75479a50dca61633e0ee67c5e13e3e53f3c2c6df906d68052cd
-
Filesize
168B
MD5c7d4d41514c77691db22bc611aa8e863
SHA1cbbb53f1b51a85b2b37770db2b611d7934af4ba1
SHA256bf757f6977bf5529397bee3b0fa3dba04ceb1ae318f7dd5540c8908af2a50946
SHA5120c164424d15401bc360a6ef6e906bd310bd64c424bf268961187e76ee2bc435282fea2edad2064afab2ffb27168da4c510694b025eec7afd23e7460fc67dd4c5
-
Filesize
3.2MB
MD5e80dfb765c0ad6f0385f8c27f88fb3fd
SHA1bb99f9fefcfbe3cf1a36d5e9931061379b6e8614
SHA2569f03400ec7170e86437d8d0794c621a48821dfb80f82d9feb7dfe7117882a3b2
SHA512b3eabd3433844d3bc1ff3e16333b46309895360faff3679e035efd0d9cffa137d98e7ee732d910df07528a902c131c5af387071a68a793330ff0978a367cf1f5
-
Filesize
3.2MB
MD553197a8d3490b8c21235caedd971b3c0
SHA1817a8ed047707adf5f8ff923d509f08858be1f64
SHA256810c33748adff45f4669f637afbbc08a466a9ba1fcbb37ebb3c1e204013bf25c
SHA512d5a6e790bcbf8471bbd9af0afb05f858b2fed5567f006977149ba3bd7dd2f923a78acbbed64cbb3906548551e74f7bb9fb7ef83d333a1c9520738fde151619aa
-
Filesize
3.2MB
MD52911d6dd5d038ecb8f9725f612ffc037
SHA11b1fea74266386bd0e39aa57f50e659e7e8b8d5f
SHA256a1483f07918722b581218fd86efc4bca02558b2b7dd2b5ff36bfb8123cbf5e43
SHA5123bb3a3777720714faa19a69c05ca021ae867b883624a508f2bf8618b50f23fab24e2f6d28d63ce231215cafd924af9f9cc88ccfdcb86b2ad63c2727077d28d94