Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 05:32
Static task
static1
Behavioral task
behavioral1
Sample
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
6253d0cbca1c76cbfbfd859f4facdbc0
-
SHA1
ab1f3d98c46ff989c78b56a95480d486fdeafacc
-
SHA256
6535faddfcbc48e4c9dd5b3f46f87d99db166beff30029fc65056356fc3a861e
-
SHA512
4bb82f501bd3b319e2dec6a0e4138467e7376d17932d4bd9e2a38746d7dc4b7458944ada2a36aa4899b5f32bd50dbff580cba3958d74c7ac2eec84b8f98598c3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
locxdob.exexdobloc.exepid process 2768 locxdob.exe 2684 xdobloc.exe -
Loads dropped DLL 2 IoCs
Processes:
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exepid process 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCZ\\xdobloc.exe" 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXW\\bodaloc.exe" 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exelocxdob.exexdobloc.exepid process 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe 2768 locxdob.exe 2684 xdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exedescription pid process target process PID 840 wrote to memory of 2768 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe locxdob.exe PID 840 wrote to memory of 2768 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe locxdob.exe PID 840 wrote to memory of 2768 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe locxdob.exe PID 840 wrote to memory of 2768 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe locxdob.exe PID 840 wrote to memory of 2684 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe xdobloc.exe PID 840 wrote to memory of 2684 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe xdobloc.exe PID 840 wrote to memory of 2684 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe xdobloc.exe PID 840 wrote to memory of 2684 840 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe xdobloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\IntelprocCZ\xdobloc.exeC:\IntelprocCZ\xdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD54aeaf0c476cb2235d7e18f3707e8cee7
SHA1b318a5cb221031eecb8667e9845974b1fdbe4960
SHA25679faabf0b8ce11d354454aa7a4725dc7f80830a2f6b6147c3a7755089a2711a1
SHA51213d902eedb2e9a5cd0ef9b78abc9543ee1abbe51705561740964c1a149c2a8029fb77140f803fffc929086ca9e0266ac7346a57764eaa95c05ff3bd65e80cc2f
-
Filesize
4.0MB
MD526a09658d9323463610278130c6b60e0
SHA14fdf4f543784c28cd846f38cbc7332c437c55216
SHA256b4ded1f01782347f359b122b49bb0c8744c38657fd0dff76929ca7b8581f0c1f
SHA5124970ccf1d82f1444b55e79cbc27ee37d189b141a7280cec05b2bf7afdeeb1cc71bec8485cdfbe979118098c51f6b8c03d5b49cd97227f0f6d08b4f35b8f2733c
-
Filesize
29KB
MD52c368577e9554133d02c83bf54a3ba6e
SHA149b7a9ae2d4b99497643247e01905888709f9fd5
SHA256a133dd9ff9d9f10e5866c760cdd82f93cc9b63bbc2f61deeca3dfc19530bb3bc
SHA5126738917ab34d25b7951ccba929c783d529abd278da5610a245c6c13691fecc1ae024dff9e6702c16321ec7300ee950a2a7fa1088dce430274f937ce643d834a8
-
Filesize
172B
MD5d02ea01526212a6cc75d88584d25c7f6
SHA1c86635952237fd0f4bf3301c4101760361f23449
SHA25603b2384a7046697755767b8b9fe688b1bd15d20aeed00a3908128cbcee1bb09e
SHA512dfe0c225d3ac7213375e39352a5ca5dcac65ff4cbfdd33851f3ea3bb9c6e6fcef561357a8a7f53fa51336c4d9d6c4a7b927adf45ac328d24752bac234dafb833
-
Filesize
204B
MD5d00445955a24ed87e92bb0c62ff84e79
SHA1268f79e0c8f59f4292c83c4dad5ea33bab6f7fbd
SHA256f45d96e5bb539bc4e43b9b8fe0697a355d41a9be0b4771689109af7ac1320529
SHA5124a72df74505c4d869201c95bc1a4462cf28fa51e15aa018c591ab7c05238484fbfa016658e8efc5dc228b13f23b17cd8940fb5b741dc6f838ec35afad831b775
-
Filesize
4.0MB
MD55d74880526f72df2668e73d054e04c44
SHA1a026a14400893b621d50bf95e890e8c78e5d0836
SHA2564bf2d516553df066c1a7187aa2c6b4cfcbab64cee3735ea8e189b4cbd0f10019
SHA512b443f89a11a731c9972ee4f43cb7919e472a327915fe8bb89d4fac88f685522765ccf6160925187bc68f08947b2fa66ac0b694ea918cbaf004292cccbe2e7026