Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
9b5ded4287c5c3872386297e9a2a1420
-
SHA1
1a6924adc275cac1e50417d6d3b876b29e2fc866
-
SHA256
bd869aedb7e9de4461effd656c188a7dc4798fa614defba50ccc789d5608127c
-
SHA512
2c186d4b5d706772be8bbc98fe4c70114e35d6958ceff6cb1917ddb2824d44672ef00bb793300e07c37299f1e5c7ac7bfba1057dcbadabb1ac133517623e5f4f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpqbVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevopti.exedevbodec.exepid process 2124 sysdevopti.exe 3400 devbodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2D\\devbodec.exe" 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSH\\bodasys.exe" 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exesysdevopti.exedevbodec.exepid process 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe 2124 sysdevopti.exe 2124 sysdevopti.exe 3400 devbodec.exe 3400 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exedescription pid process target process PID 3212 wrote to memory of 2124 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe sysdevopti.exe PID 3212 wrote to memory of 2124 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe sysdevopti.exe PID 3212 wrote to memory of 2124 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe sysdevopti.exe PID 3212 wrote to memory of 3400 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe devbodec.exe PID 3212 wrote to memory of 3400 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe devbodec.exe PID 3212 wrote to memory of 3400 3212 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe devbodec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2124 -
C:\SysDrv2D\devbodec.exeC:\SysDrv2D\devbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4052,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=3060 /prefetch:81⤵PID:1428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5f3611b180f53e7b766446f16c0eb47e8
SHA1b0a5575b4fca6d2ca1ebf68f998124b33189a5e8
SHA256da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f
SHA51280c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1
-
Filesize
27KB
MD59066f9da2f6e14f558228b695e72cbf2
SHA191038a2a5cdbee686253b1163db1462b67afdc3e
SHA256afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4
SHA51241a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d
-
Filesize
3.1MB
MD518a33d1959df79123937bc66e81ef5e4
SHA1020b41320b10ad5fdf08723393565170e2890351
SHA25668bc44551dbc9770db27668f51e09fb7a301aeeb05465c7391ea923076f20cd0
SHA51218c669182300059a5e789b6821615ea0223733ae8a6f91d160e6c9c2ea8befe739ed111367b5107769fd9a5997f42c33d4dc862138c43a2832593fe1853eeccb
-
Filesize
205B
MD598bd535f1de846fb93c22c094ba6730a
SHA1d2fc67788c117f4acf823d68a90cfe5fd3346cf7
SHA2568b58ad82ab24c759fed5ecc8f8bc7a573b2cc346834fd5eebdf8d79c123daa3b
SHA512ceb1b21c25a1a8b173f41b4f3e5438c58bfea11248b5371e70bc8973fb741c57d184eae79fd78ea724d86a07009ec3fde1d13473d7252a5e975bdd24ef83c512
-
Filesize
173B
MD5c250e4056e055915db54ab11b4426ae2
SHA139356bfc81b9fe5506e1e248f5b3c81ccfdf9c7d
SHA2563c84242275d80542f823545ce115db4387397b1b9fc1cfcdf0331a2e257e670c
SHA512414b2d7ffc879252713aae359afe353bde2ace83d300de0029502a88e0e7f48ae9bba5ca9b5c0880025282f4caad7aae066f42d8009bc197d796ba5eca9e60f3
-
Filesize
3.1MB
MD5df25f5acae881c09035d8e180cb06d29
SHA193242441149929cfb19c40c35ae9046acf8a72ec
SHA25611c5c5470c1eb53501cbff6466b890005f58408214a311353b39070a278ad7d1
SHA512abb6d629d62d7988278f2df58395d417165d3a6470ba93bf7ef329d8d747520b12e0d00d0d473e868f04e9971bff7a6cfac5b50989e34022c07872184d71715e