Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 02:49
Static task
static1
Behavioral task
behavioral1
Sample
9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
9c8cb66857908f54e6105df65d80c540
-
SHA1
10b44ca5be963bfd479217d606b7bd490a29ae7b
-
SHA256
c209f8784c6137c1474c554169fc8c5595f7d5a736174dd55c4f2ab86c54069a
-
SHA512
1fedb0892cfccb48ea9f08b7323443e6a31f6095f5c0c6fab2e772c41e7c815814ee548f5346abe585a889bf5f6824bbc40075dcfb15a940a2e9fa7af347cd15
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNX:sxX7QnxrloE5dpUpdbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exeabodsys.exepid process 2008 sysadob.exe 2052 abodsys.exe -
Loads dropped DLL 2 IoCs
Processes:
9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exepid process 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGY\\abodsys.exe" 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxU9\\dobdevec.exe" 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exesysadob.exeabodsys.exepid process 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe 2008 sysadob.exe 2052 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exedescription pid process target process PID 1704 wrote to memory of 2008 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe sysadob.exe PID 1704 wrote to memory of 2008 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe sysadob.exe PID 1704 wrote to memory of 2008 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe sysadob.exe PID 1704 wrote to memory of 2008 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe sysadob.exe PID 1704 wrote to memory of 2052 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe abodsys.exe PID 1704 wrote to memory of 2052 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe abodsys.exe PID 1704 wrote to memory of 2052 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe abodsys.exe PID 1704 wrote to memory of 2052 1704 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe abodsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
C:\AdobeGY\abodsys.exeC:\AdobeGY\abodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD508c983435dc542ac292418d8746b7b5b
SHA14165b0c035b3f1ff00e1d59b83ab16cadc78ae1f
SHA2569c978ddb104b9c0f665cff46f8f821462eaae73733350391c824876202c2a909
SHA5120bb7568391b8aa2814e22bf8228b6fa2f33c07b144aeee37d3a137252538f3d021550818458a13d487fa2829196a5aa07a46ff597ef60568894a69a3d5a49a2b
-
Filesize
3.0MB
MD53dc04bab13dd4eba51b2c578f38559b4
SHA112d12e1c7f5e61339e353f4ab9e4bdd54125a172
SHA25671bb12ebf704eaa83ee93a10a89c375cccb998b7ce8f6da6e8a06e25f1480c74
SHA5125f5f235c0b19d6d56c7e43d2a474fd9f029ab889900ce6d1ded5f645b0e7dbbc7a0b038c064a619e25b5f398b5fba8c3ad651033ffa9e13da0b661c6b1e2e58e
-
Filesize
64KB
MD51fe0d14acbae1f4503fe3c851d715a39
SHA16e9ecb695f2b07b82aa67f8a0c7c244f7baada13
SHA25661af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574
SHA5125bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583
-
Filesize
170B
MD5ee0cf23979604429a04207cd022f7b57
SHA1d3ac756d6d8caa3abc47228d27a3b3c7fbf52347
SHA2564cd9a16751718102c5122dbafb77d06c9f76a549dad63653354d303c05e5666a
SHA51215b0cfffe289eeaa97ea2ad7dfe0f9ccb4844b631e7cdd2beb2287011db3448b02444dbfab51aeeda3fea3a4e01d1c74083393d158fe6c0df3560aa4ba513ae5
-
Filesize
202B
MD5eeb861ade3da8591f8f20d2a65a81727
SHA1922eb486f71158a5e6441edfe94d36f74d67bb97
SHA256990e49b78575a6826f2b1c2b40a177fd9f089645ff5cb788fe26021453d6a3ae
SHA512cf8064a3cf8bf3abaacefb766d2573aad91fe6167003659f5c3a2de33dc17210bf86f1aa734f155e4179784ff15418ffd16bbdca320489716c103e704a7f3129
-
Filesize
3.0MB
MD5de8ce670df2a2ff6730b90073df744b5
SHA1bd3201fc7cb8361222e0ab0c025f1a8eb0dac443
SHA25639c904b158fd709419d970775ab002cf429eccda3ce87e29e559358d7346fcb3
SHA5124b3bd952185765ee18cc70b5e25a94f0443228bc050d38f7cbda5d3491121edb47e81206fc4fbda53189629a477266b0e50f76bd8a8d20e38753d29999fba182