Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 05:30
Static task
static1
Behavioral task
behavioral1
Sample
624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
624002f183a1ecc2a19fb2a9e53e8a30
-
SHA1
caf05969f44c5b205f1930eeb587855b0bd89004
-
SHA256
82b1f1d0604e41e8d91dfcbfcb6e1369f8db744e30965909725e0bf3e0dd860f
-
SHA512
55634343938e58dedf87e5a14dd35af129eba8b5267c3ab64dad62e1f9bc4c823e77cab5fa8b9688b16303bd5d5a98e2d61713b078305c3e0f519ae1ab83157c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNX:sxX7QnxrloE5dpUpjbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
locaopti.exeaoptiloc.exepid process 2712 locaopti.exe 2912 aoptiloc.exe -
Loads dropped DLL 2 IoCs
Processes:
624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exepid process 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKG\\boddevloc.exe" 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYN\\aoptiloc.exe" 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exelocaopti.exeaoptiloc.exepid process 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe 2712 locaopti.exe 2912 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exedescription pid process target process PID 2936 wrote to memory of 2712 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe locaopti.exe PID 2936 wrote to memory of 2712 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe locaopti.exe PID 2936 wrote to memory of 2712 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe locaopti.exe PID 2936 wrote to memory of 2712 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe locaopti.exe PID 2936 wrote to memory of 2912 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe aoptiloc.exe PID 2936 wrote to memory of 2912 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe aoptiloc.exe PID 2936 wrote to memory of 2912 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe aoptiloc.exe PID 2936 wrote to memory of 2912 2936 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe aoptiloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2712 -
C:\AdobeYN\aoptiloc.exeC:\AdobeYN\aoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5f39a8211c5ea5f89c967770efddf01d9
SHA1f7824f7c819a817b5422bd3ef1f2935586ac2eb8
SHA25697475b544361041736c942c47af1cda4c70cce0bb40a6ae093d53240c226d3b3
SHA51224f31f4c2ba90c2117381dbfdac818e519676344a7f3470289d34f0ed3f56f8c095309a5170996f9fdc10f581b02ea1184a627313757aaadcde2be0b4a33b68a
-
Filesize
3.0MB
MD55cb31c43b5aa7df4d46d676da0d66b0f
SHA1097d69b837a89f4163162d96fa03c12cd1fa8859
SHA2561bf58243270101e8546f60162e9dfa1d2e69d3d46ab0398df2304967405616c8
SHA512d82248fe4fc1d6c0a843eeb7e20bc4828f3141928c64c088210010594c95eaa3c4b8ed923afdb6d3927c2e35c6e69f45b8c187c9168f45ad6c4c0e4794bfbefb
-
Filesize
15KB
MD5baebd565738a73b1785d23f85b9b1880
SHA13e776227196d9cbee3a9edf120876f20e6af105e
SHA256d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7
SHA5123bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0
-
Filesize
172B
MD5b7a6fb4d87619ee60f2c258d621076da
SHA1d248a2f9dbb505cd32526712839217197ff37f6d
SHA256fa6e4c3ab616d5c62eb9b4287e013b913ac7df9c98b2ec3a5f8afd6c7cfbc5c6
SHA512fba89216b0ddd8f87242a26eb8c00bec7ba808db23a45047cbb38a0fa75f8fe080a9411beddbb9d65416d420aec3e04dce7aa742a2776cdd3736a689ef6c9c2a
-
Filesize
204B
MD5dd4a1a2aed04f2c6bd6670302b6752e4
SHA1ca7555259420333e431b34ef1a1e4a68a4f0b8f7
SHA256ec38c4b61645319a4e45f05ef1964c5bfddfac58bf86f3008698c2dbe3f08859
SHA51223fe476b7717fe4dd4e566434de3292b214a2b18f49c62114950baadb77769a6f6ea671e45f1d1e6fa747dcca8a00cb1642b527d82ccbc36767e1b3b29380977
-
Filesize
3.0MB
MD5564579c1c38e1e3d1d0019da3193ba5b
SHA159e25455dbd9b8a601a8e8e90c0b3a1e9cfb9092
SHA25696819cea4c71cd139321c7a306d7826e92af433ea936818051829911dc49829b
SHA512155443a5fa0b78bdf64bb0894f04b15ee06bb2466b02d8b0b64c9ed2a2c38d984a8778ddf81c086b0e657b3787035ff9c4256911193c702eeb993b2e092c79ba