Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 03:46
Static task
static1
Behavioral task
behavioral1
Sample
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
5bda9bcf5c906737b67fc3e01fc374e0
-
SHA1
12075b48fe688594ca8134fa2803edea71ecc1cf
-
SHA256
39825b96cabf19ac29ee9dc3ad9d49c9daed4e176e2eeff742aafab63e619c4b
-
SHA512
fbb9753e426194baa5d8de5d4d44973a6beefc691e9b1bba586d43ad703fddfaae9fe76a5070d8ce794c1614c4f7fbd139e92b76de0c169694e73f188313cbef
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8:sxX7QnxrloE5dpUpebVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecabod.exedevoptiec.exepid process 2332 ecabod.exe 2720 devoptiec.exe -
Loads dropped DLL 2 IoCs
Processes:
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exepid process 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZK\\devoptiec.exe" 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOK\\dobxec.exe" 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exeecabod.exedevoptiec.exepid process 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe 2332 ecabod.exe 2720 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exedescription pid process target process PID 2204 wrote to memory of 2332 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe ecabod.exe PID 2204 wrote to memory of 2332 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe ecabod.exe PID 2204 wrote to memory of 2332 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe ecabod.exe PID 2204 wrote to memory of 2332 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe ecabod.exe PID 2204 wrote to memory of 2720 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe devoptiec.exe PID 2204 wrote to memory of 2720 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe devoptiec.exe PID 2204 wrote to memory of 2720 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe devoptiec.exe PID 2204 wrote to memory of 2720 2204 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe devoptiec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2332
-
-
C:\IntelprocZK\devoptiec.exeC:\IntelprocZK\devoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD58825de33be877a749bebf86b8cf46dc1
SHA1d108fc9bdbd992a8a9c6576e23fb53191c0a616e
SHA256a7e67e0b665a0f8067042bcf876666adccb0ee050b1dfde7fcc417e19c312a24
SHA51261306cbf772dadb2be74adf4a23ee5715bbfb6742e5b3081c114bc3133aa4d5c6ac083cf117d9f4c5049786aa793ae1d6300dc2f0864d77632a4cc1401564264
-
Filesize
171B
MD5f7ce3250933ed073d68c5e2a19e28b9b
SHA126e3515bb4ceeda73add95e32c9205d871321810
SHA256f2a2b1a05acc7cd3644d6f13eb6fe821c809de144117cfd72043564c4b2b8da8
SHA5121f5802a19932087d870a964d84b982113fb42c5101cbbe0568f6f3dafe7e3d88db93fd11d8e0c1e72d2042f3eaa1fe6fa56e74e986919b0607f155abdc317bfd
-
Filesize
203B
MD567670630dcda00e77b5681e3d5165c01
SHA1f38df4a2cc4d266361b2f84b66700551a2c83a18
SHA25674a5c51b6ca7db87d7301a3a1dc0d010ade38149d9303a714828019e41cf6ee7
SHA512ccb49988c7b8cf9503ff0eae107b9c5c47245e66c81de6f6029129a918be76d4dd9e63af694434da7fc922834182485af19d70d0ca29c40fbf72d8fb4c430f16
-
Filesize
1.4MB
MD51846af9e8b55558541978d7c56478edb
SHA1547f27f580ed217db608fc58faecb1dcb3b7543b
SHA2567c6db1f5dd41aba0b5ee24e4372b0e3cf316d0b24b7ccdf6d15f3d773aa5b4dd
SHA512863a883ee684a9eca2ce85aa2a2cdeae7c5dbaad9776f5795f2cdc6cba19fbd24e571c2981520079bd260f48dcffc8b1f42a9d9f65c2582894b1d60f6e94df9b
-
Filesize
3.1MB
MD5437ec0232edc86e6534546391a85e206
SHA1dfa0b9325f08ab87efa8318e1a6f123918462b3b
SHA2567d1599ca2f7b0630e1f0532ccf39cb18ec2eb240997ad8dd4c4cece57cf7bc37
SHA5125d34598d348b079c41f14511a6be71331707917c346fe3cb1ae8e9bf4735b28eb8eb6265965e66f9d8474d15075221cb889b3104562cd7ff6098a33793c00371
-
Filesize
3.1MB
MD5aaee34b1aa08e4048c6f1c40eff55dd5
SHA174b4cdd869abaf7578bb6f5b4a54a224cc3ed973
SHA2563c4b06f3247708f7a43a477e9db142a0fe34879747d746dc32cab30b7a3dfc97
SHA51213b815e640f52518175e8ab8cbfc147d04eaebc432116d4d6c894521465881583dfda556438eaccf1f1cb368faf8e6e4ec744d4f57bb7990fe78cf95653038df