Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 05:32
Static task
static1
Behavioral task
behavioral1
Sample
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
6253d0cbca1c76cbfbfd859f4facdbc0
-
SHA1
ab1f3d98c46ff989c78b56a95480d486fdeafacc
-
SHA256
6535faddfcbc48e4c9dd5b3f46f87d99db166beff30029fc65056356fc3a861e
-
SHA512
4bb82f501bd3b319e2dec6a0e4138467e7376d17932d4bd9e2a38746d7dc4b7458944ada2a36aa4899b5f32bd50dbff580cba3958d74c7ac2eec84b8f98598c3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxbod.exeabodec.exepid process 3672 sysxbod.exe 4528 abodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXV\\abodec.exe" 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBML\\dobasys.exe" 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exesysxbod.exeabodec.exepid process 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe 3672 sysxbod.exe 3672 sysxbod.exe 4528 abodec.exe 4528 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exedescription pid process target process PID 1900 wrote to memory of 3672 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe sysxbod.exe PID 1900 wrote to memory of 3672 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe sysxbod.exe PID 1900 wrote to memory of 3672 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe sysxbod.exe PID 1900 wrote to memory of 4528 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe abodec.exe PID 1900 wrote to memory of 4528 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe abodec.exe PID 1900 wrote to memory of 4528 1900 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe abodec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3672 -
C:\FilesXV\abodec.exeC:\FilesXV\abodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:81⤵PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5b64fc83b413933e0a7e5a6f25583ba0b
SHA18ec82f21d69244979bb5da65c21f8034ea777182
SHA256779dc28bfc18d61fda4587a3bf40a75f63cc3eb21a19b18dc93f5a2aadbb521e
SHA51214c3e0d3efbe9e42ada236b0b7668ba78304eaba741bd7aff346a3894f888c5d57d4d625909d3124d609911bd53f08267aa144ce71bb5b5dd8c82124f82c0acf
-
Filesize
4.0MB
MD574bb446560435761135be706d42de917
SHA1c220e761608fa4e8409d9c9e4144bd7a35cda736
SHA256b0308ffb362db01cdd56289f13152bbf7036caf9bd983ef1e29ec5ef12fde0a5
SHA5122adf14198c3cb97700b1e1674b0788119a86ca09ea1d3b4f061486956be92d9740353a05fe865e190e410ad8d8db3a7edec83a18e3fb0931611aa3eae099f97d
-
Filesize
37KB
MD5ae8be8e2b1dab8adcb836a33cf6b9a61
SHA1515818c5f9405956f70943bb72ba90e9ba78e9be
SHA2563f6a2116dae8cf70a291b708d7a433a4131aa97d54aa90c7e7c7a772133beee2
SHA51227e40b2e46154b9c2897e8399b1af317f88ca2e3ef7054a9448c2abdbf7f18785b448b4aee832cd94706b44c9e30fd97a6d1f85cb28c11b70a3e38f9b4c37676
-
Filesize
5KB
MD5b1bff5461f6eccee15bc13b90b862c37
SHA19b68b3e8bd60c2c4b00d1ff961e9c20b00350466
SHA25631ee37ebd445cdf1397bb80f305ea15a1b3d12fced2d3dd773fe436cbaaf9498
SHA512fc655a29154ddbd88a87bbe6eff59a7e0654e6306682a7ea2f70c240b99f1e7026089df3a2803df3ec6f1a12c75d0ea1438ffc856440b95121dbfdcbc15800b0
-
Filesize
199B
MD5d542df43cc1e2dafde02c86e891a4fd7
SHA1d1292fb158fec234d1439f7675524578c45b799f
SHA2561a07183992ac770928ba9b782f2c20479ef34278acf767c84d4a6fd970456286
SHA512b38acd8c8cfd3d1d997e6e887bb73ff31042b4c55d694c05b874f3adaa1f7fa66d47f17e9caa7905fb32fcecf0f5cca9f7add5775ef22a3b620dd844f9011c8b
-
Filesize
167B
MD5d16042f7cbae4024d74a9feba2b22933
SHA15c91eb6794d17a51260100ecee35dea8de70b86b
SHA2565c6cc609ff6d28bab828bb2543d139d537694406318fbdfd0e7b5c94b6672295
SHA51223abb25de1fd3189c424e5f2e946b3fdc884335f6a927fe1ad9446468cd9aa7f618be28566181e779c280d430ae1b82de29c017254c9b6078418640c8ef886a1
-
Filesize
4.0MB
MD58b286c43a47f133cf388deaa3e6b09c6
SHA12bca0f2d31297698a82293b21b6aabe7fa2809f8
SHA256cf51762f621a7881969fa88c73a559a5171d150b39a3b3dbbc8ae348c84a317e
SHA512a6427a6cbbacc0f286c42b6dd0311525437778094f0121bd93308d1ec59831aa99091f2aecccf97630343925d38ccbbcaad53bbe8803a9300f47c3e6b5fb3df1