Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 03:49
Static task
static1
Behavioral task
behavioral1
Sample
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
5c08244a62b4d0b537912c76aac4c750
-
SHA1
2043dd2595bb5ade66993ef8950454f842beba16
-
SHA256
026c597d45d928e26b89bf7931592333194b8771ae0c3fba0c57f1a3add20f3f
-
SHA512
7a0bc94224f729645904a2c6236ba784276155b0b209e3a3948debfdb299b1890ee20afad997d9e5b825b71be8eb770ae924864645f63da4d393da8d86027d9b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpIb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecaopti.exexoptiloc.exepid process 1540 ecaopti.exe 1624 xoptiloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files97\\xoptiloc.exe" 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintE7\\dobaloc.exe" 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exeecaopti.exexoptiloc.exepid process 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe 1540 ecaopti.exe 1540 ecaopti.exe 1624 xoptiloc.exe 1624 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exedescription pid process target process PID 636 wrote to memory of 1540 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe ecaopti.exe PID 636 wrote to memory of 1540 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe ecaopti.exe PID 636 wrote to memory of 1540 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe ecaopti.exe PID 636 wrote to memory of 1624 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe xoptiloc.exe PID 636 wrote to memory of 1624 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe xoptiloc.exe PID 636 wrote to memory of 1624 636 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe xoptiloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
-
C:\Files97\xoptiloc.exeC:\Files97\xoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5df281bfeed20966154202479017c5833
SHA14bf02ba05985093e394a2a23df43add0038675b9
SHA2565413f4323302e1679a11a57735e607bb6ff9d272be4b1c4c1760047c276d331a
SHA512a99e6ed87160371c89e4227c2f969aede9f83aa0e79fc383e7ec10c798f9bcbda8c8724403693b72590bdd31c583835bb832da6dc5552d02abbd633c705ca590
-
Filesize
2.6MB
MD59138a7243c40092ed1843c64e0925d99
SHA13d199c8a7234750e950f0a8ad05c1cb56c3b2bb1
SHA25615fdb69c12a6910874423bbad389a9017b27f8997e8981d4fe10a5fe288f08df
SHA512eed6557044c431910f83d7bbe8263c914d22a870d41ff26e198f33c501f40f96097cdb860bdbbdb3d458d0bb3724b8aacafe2c311db911fe574c2c4fe1aadbb9
-
Filesize
458KB
MD5c154fed2ae3c7a19cab82c777f1b2e52
SHA16e34d7cabc2af9ee235b29ce05c0819d4bd27593
SHA25643b908b5a992193164bf5e4ba7249aa82dca4c898151bdf0edcd154c5d91ddc9
SHA512fdc57705b714084ae2223c208cf0a409ae2e2f6037808869a2dcd4121cfdc204ec9a169d542c2234a3875f7e6d8261de0b5f774f75bcb2ef7addc3b7fd0388ab
-
Filesize
2.6MB
MD52b5e1c56a9666a14a1330e7a47ec7e48
SHA1bf34ab7d17ac4425015d54e4e5a9a1434443f44b
SHA256fe0d140ad955b1cf0a97f2fc41de8ec133905956e919b1f950590010e6f1852f
SHA512caf33f86a89e9e3e995fd86965bcfb444653f5559dfc5a477613e3fd9f47bc6f5d32b9b4086239b1b02099c1a6714a83718f04a5656ca2ba18c20d7fd651dc49
-
Filesize
201B
MD5f35923818eebaa8a99296c8c1782e7dc
SHA1bf6bc089f9cbf12d9ebbb779127bcfb0de04ffd0
SHA256630d9e36d71b9b8d9dc765991eeb57c9fea941e70a1d1bda05ea2b08e87e5e45
SHA512a5282380e2366efbb4ffb41f58b7dfac1e25a36a069be359c157475f1669d6f05700b2ad67507220fdafecd44cce92908ba2108f8bc1de079841aed3bb57407d
-
Filesize
169B
MD5f9558f891c8a1ef7ba064bdee2c43839
SHA1de3618ce5743aa4fcbdaed37598394f4348d76d4
SHA256002f96c97042ebcc8f477720f87b61bf51b2d271cdb9ad6e1d504e18753c819b
SHA512a401c947f6f8a14aab261fa08a5d9cf9ed0f3fac9f916a973bec62aa7e27dec43d984df257f4b7351641a0e001c683e59267ed8fdb51de0e8dad403801897f7c
-
Filesize
2.6MB
MD5b822fb89aed1bfa6e460b0409d15dfb8
SHA1a4754e5706a83698383e4e841303f8a2bd660e02
SHA256a90e9847977228d0fbb268bd6ec74222f6108293ba0615b3842487dacd4d30d4
SHA512c19b40aa9c5942bf7a7cf6a27c7f2d2c4001a4c23d6a615a836c04dea1dcba5330bbf346bc0f222e58d0e554920976f9527e2e79d92fc0c77c50c6c29fb7cb00