Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 03:46
Static task
static1
Behavioral task
behavioral1
Sample
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
5bda9bcf5c906737b67fc3e01fc374e0
-
SHA1
12075b48fe688594ca8134fa2803edea71ecc1cf
-
SHA256
39825b96cabf19ac29ee9dc3ad9d49c9daed4e176e2eeff742aafab63e619c4b
-
SHA512
fbb9753e426194baa5d8de5d4d44973a6beefc691e9b1bba586d43ad703fddfaae9fe76a5070d8ce794c1614c4f7fbd139e92b76de0c169694e73f188313cbef
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8:sxX7QnxrloE5dpUpebVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysaopti.exexdobloc.exepid process 3296 sysaopti.exe 1016 xdobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBT\\dobdevsys.exe" 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQD\\xdobloc.exe" 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exesysaopti.exexdobloc.exepid process 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe 3296 sysaopti.exe 3296 sysaopti.exe 1016 xdobloc.exe 1016 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exedescription pid process target process PID 2792 wrote to memory of 3296 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe sysaopti.exe PID 2792 wrote to memory of 3296 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe sysaopti.exe PID 2792 wrote to memory of 3296 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe sysaopti.exe PID 2792 wrote to memory of 1016 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe xdobloc.exe PID 2792 wrote to memory of 1016 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe xdobloc.exe PID 2792 wrote to memory of 1016 2792 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe xdobloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3296
-
-
C:\UserDotQD\xdobloc.exeC:\UserDotQD\xdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55eb070252d8ef00ee121ccaa611737f4
SHA1d7d4864e83efa11bbec8ad37bf70c718498e141a
SHA2565a77f0e9c286e823978b21c993cd8847184d678c3b3c5b545f74792a2dc16ffe
SHA5122c79f4747983bf4dc5ba6206206ab0a039448feb7ed1d21e2cbd99a173797785a11ef3e39896b481d551fa37ed981290c7656380b62d7f757c036bcf2a7fdf70
-
Filesize
615KB
MD57e94b7c02dac91553204eca8fa82452d
SHA16488fbec063c70d076db8a5b8d8a15225561eb0a
SHA2568792be509e525f9fb04233917c7a16872f42933fe29a0783af016ec361048f82
SHA512fddd463b251b9b388f4acaa9945d8da6e136c71b8a64e05d848cab24d1c615087f59b9227d22b4d4aa843b31b4c94f418822236eb377bb103b92553bf240dc9f
-
Filesize
3.1MB
MD5882e61708d0e4b16694253fcbb11b251
SHA150cddcbad38da028d3a85bf28ff536fd453a5d58
SHA256e13c30a75d130a988ee6c85fb581a87e681b12e5a147d960e45bfb10a9b11e6e
SHA512e12d418a8a1ac85fbdc6c2d7967bc14cbdf8fa6e39941ff82956c3c810df6448952fce58e19deef25ab4eebfcdd7aed13749a583df558dfbd3c3f790589b3b04
-
Filesize
206B
MD5c8c5f675830a736cbf83d86c7dec7d3d
SHA181e6065b1925c85d3e8c8e18602badf7f5e79eae
SHA2564332fcf22769184e45a00b72b72e246feed1f94b6f3c8fe58cb00fcced667c28
SHA512d35943714b2919dfe43bd7fa9ce4d134037db9a2b5f3ec463f769b80b691caf3fb77e33d391109b7368414aa4d722bea52e122ec7e964eea5572d571a740fc9c
-
Filesize
174B
MD57bc27bb3e75135ef34d0e53a96993240
SHA17ba831b3efdfb245b8c86fa7c4a11e3df2c2e5ae
SHA2568b42d2e205731929ea420139054a6dc5463142814549b10c6a31dc881180a38c
SHA51251b761c0b48b6544d5fc024e12169b20fce8f96cf3005373aa1b1fe47b536a955bef5a65dd757e0d8f611a8db903d0763bb421ed8e7aaef94c475a0d10aa320d
-
Filesize
3.1MB
MD58524b433c3d924996e208d60a7a84dc4
SHA16e77aca12860ef07cba8ac5a0396c513683c6939
SHA256423d056b2f307b6789b766baf1ebf389f06f17662bc5dbe002666ebce075c2d5
SHA5127583eb9b3c78f052663397d89398d95d585513e828dbbd487d87eece6234f7527b4096c93f37bc9719c0e1fab286ccfe18f3c5c531bc5e3a0e1d6574a53de3b3