Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 03:49
Static task
static1
Behavioral task
behavioral1
Sample
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
5c08244a62b4d0b537912c76aac4c750
-
SHA1
2043dd2595bb5ade66993ef8950454f842beba16
-
SHA256
026c597d45d928e26b89bf7931592333194b8771ae0c3fba0c57f1a3add20f3f
-
SHA512
7a0bc94224f729645904a2c6236ba784276155b0b209e3a3948debfdb299b1890ee20afad997d9e5b825b71be8eb770ae924864645f63da4d393da8d86027d9b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpIb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
locabod.exexoptiec.exepid process 2792 locabod.exe 2612 xoptiec.exe -
Loads dropped DLL 2 IoCs
Processes:
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exepid process 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0S\\xoptiec.exe" 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP0\\dobaloc.exe" 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exelocabod.exexoptiec.exepid process 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe 2792 locabod.exe 2612 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exedescription pid process target process PID 2980 wrote to memory of 2792 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe locabod.exe PID 2980 wrote to memory of 2792 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe locabod.exe PID 2980 wrote to memory of 2792 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe locabod.exe PID 2980 wrote to memory of 2792 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe locabod.exe PID 2980 wrote to memory of 2612 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe xoptiec.exe PID 2980 wrote to memory of 2612 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe xoptiec.exe PID 2980 wrote to memory of 2612 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe xoptiec.exe PID 2980 wrote to memory of 2612 2980 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe xoptiec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\Adobe0S\xoptiec.exeC:\Adobe0S\xoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD57a468c233bf617ba35ce3fe9269a40bd
SHA119039095dbc3ec6e97bc2c1dd095d4ed12140864
SHA256d789e1524f91c818961647f84e6c413b004469b235d2b4b383cfee051af45590
SHA5129bbaa924cbc7a7e59002ef270e9b76c820f057102f34d135bace9724018d1028aca393b3066f066573a1e21f15acafd40eb8fab18a549548a587da615d3ee445
-
Filesize
3KB
MD51158f86a0845ee6fe9ce7b682fd51439
SHA1caf9890ab05a6eef87827bb3ab60eaee3b254faa
SHA2563d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1
SHA5123820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503
-
Filesize
2.6MB
MD5a73a05a48f486fba0fd8eed601b3b15e
SHA17802ed77b26f5a50c06521d0bedfbcb2c2707479
SHA256f9549bdab954b9c50d6bdc3120de9a93125561daa67b0884ee626c2898a4b9ea
SHA5122b2577e1b90809d0ebfdc81bffae3c264aa44885d08dc83979c2514c2c8fdefc52bdf24469f3c5f42e200725066b6525256cebf7d31a02949d79d47a0eef7115
-
Filesize
168B
MD55ef5e9b153c6c06228b95a709a8abd67
SHA1f803c837f534f91a8afbc95d5cce7bbb2266464e
SHA25667878f4eac93250baa7de5f609bac7b0668d1881c1b428e07ceb7403acce2852
SHA512cf2d910d6f6e6e765715a0f128bb22bf1ef93a86d07a4c2d0d1088c0231bab7d7533855018ce593af98de36447adbdd3e3c8d64055f4b21b8f71e53fe2bb0eae
-
Filesize
200B
MD52b195f8d7a534217008bf5186a79f723
SHA1243e8aaef3c64a07175e8b88c158c525cc351f30
SHA256cc2f4cbc8b1691232af154545a4c5c5674cdc642f29d64cd45917e188e31fe6e
SHA512bd14b180768affed52c27780bc594a1b4534422e362a47933fc68c48851b89423f048b7205e932140becdb2a72c98ef975eb3ceabbec4b98a52bc9cf2cf200e7
-
Filesize
2.6MB
MD5afef198d37ebcbd3d8ab23da3dc389ce
SHA14b2e7f0a0fdcb763c57a062a48afd2e3c9b77eff
SHA2564ed8d09b751c1ebf00d444d33682f5be91813a1873d328cf9743a35203de9eec
SHA5126d6578a1b89cfd02de329576e51b44590e10fceb645532c45877ed71d6faf1a010c647b5a2654a9d159610435597b156d43790bb030fc6a4325d0d5ff407052f