Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe
-
Size
3.9MB
-
MD5
9c94d2158b84017be2fb17e922438f00
-
SHA1
d4b37f9c17a69394712693d0670f0e032934e586
-
SHA256
e52e7cd649dbef5ad74239028339c5eac006bf258e5b7c98116f91647775cf47
-
SHA512
1293474b21142c41ba0da775b6542ded776150865de9f2362700c567d7f6e18566adad0c9283bebabcd5425d25db9f898c199de7cf342bbc857c512d7f934ee0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUp6bVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysabod.exeaoptiloc.exepid process 2176 sysabod.exe 2664 aoptiloc.exe -
Loads dropped DLL 2 IoCs
Processes:
9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exepid process 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDZ\\dobaloc.exe" 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBW\\aoptiloc.exe" 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exesysabod.exeaoptiloc.exepid process 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe 2176 sysabod.exe 2664 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exedescription pid process target process PID 2840 wrote to memory of 2176 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe sysabod.exe PID 2840 wrote to memory of 2176 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe sysabod.exe PID 2840 wrote to memory of 2176 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe sysabod.exe PID 2840 wrote to memory of 2176 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe sysabod.exe PID 2840 wrote to memory of 2664 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe aoptiloc.exe PID 2840 wrote to memory of 2664 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe aoptiloc.exe PID 2840 wrote to memory of 2664 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe aoptiloc.exe PID 2840 wrote to memory of 2664 2840 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe aoptiloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
C:\SysDrvBW\aoptiloc.exeC:\SysDrvBW\aoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5703298e1938b94b8a048722589106182
SHA176cf69965dbd2c3eac9313fdd3019ef346fbd507
SHA2566eb1a87af8ac5230a217aacd34de88c59e06268b719fc264c44e62dfa12e7709
SHA5123516ce6ea8807a3fb6c010e95d8450210cb156137ce1b2c7eabc8864fd53cdf8eb31a79323092e9a8ee41dc76c1f14b645b91fb0be2ee13197dbbd875e68fc09
-
Filesize
3.9MB
MD54cc505d5267734706c8a00b1837addf1
SHA1e3a402b9bf725ab36864bc26886f02158bfbf2ab
SHA2564b39b0288cd06bf2538857292ba11bc7eb2165eec502c4bd000c71d94a899553
SHA5122c97a11bd11950fee4f1729735e5efc8c38d2e8bc3759f635f45c1868457a0d0156d7b446e549b666d864630e6cdc3ef7646e8bae1fc4154b39eff0b68dd055c
-
Filesize
36KB
MD560ffdb7bd6d8ee8074e418c59c385250
SHA1268a825e21da75c33d58509badbc738dd110aa45
SHA256203648e76d5b17b83f0677ec38a7a654d8da498025103a58f89a152f49dac705
SHA512e17ff3075e6116357ced81950349739309dead39db867a864b62e47adb0dfa9f265c88771023a4060eef235fb8de443e49ca3ad35a7e7b2c75a0f597d39b4c47
-
Filesize
3.9MB
MD5abd124627cd5d02573196216d844ab71
SHA158bb002cb551f08ec92c1346c6c84941af156766
SHA25677c5270fe5158f2619f172c404afa42dce400cd30ff1b71696d56e47fcf5f699
SHA51271fd953523d975d4f4d377d284d027195727e39a73526d9f5a134607a0317aac1cd47a63f9bd1ab378ad82b972f0419397f7fb60d18ae2123f718fd0b381e29f
-
Filesize
171B
MD591df04342a9453323d655acec3b7602f
SHA131fcb6710c364adc186c071f8f3cb77fa5b9b367
SHA25669d309657f5ece3548acd8ede48b34eaaf89f86a5ee84f654f87d61751e2dc68
SHA512fc65d85988a8eccfed0b4fa170c5f43af11a034fdc48a35f06461dc4bc93e24d2505d95f9653f0f2c842065ee8871fe46eff935483ddfdb38c3a7b679f2affe1
-
Filesize
203B
MD510cd8056eb8ea73fe81e269d03ebb1ee
SHA1c0af50510c6941f76a2f450b16ac10b41230e027
SHA256a3a147a05eb11910596cf21749485873623306fc7fdec3a8e5256689c45f4a8b
SHA5122e416b234eafcce57fdbeb5635cb9fe7baae1769d58b918e773df983ada9a846933ccd39e925641515be0305bb1b69bbfe638373622069f4aac474603bc635db
-
Filesize
3.9MB
MD5a0515509f77f09428133b97605cad3b6
SHA1cf3f77fd0247fcfa5dcb8947829e12104389ef4a
SHA256553ad992338e278300c075edab8074643f399009e16b73b1e0e5c322732f4630
SHA5120113c6d321d629ff141936db821cb0c8bf666629e5b524e97dd6a1e7a0913b876a666aa1bbd737d7ac80de199747a980f6e3a9efb94dfc89f44598220bb97c73