Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 06:41
Static task
static1
Behavioral task
behavioral1
Sample
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
a9f5ca7ebb7f8249faffc03cea8caec0
-
SHA1
c733f0d2e3efcd2921e21acf25daac936ebfc3d8
-
SHA256
d79c4c4d526bbe186769da5b28e847c6fd0cf5a3f6439037ee850c15a48e3fc0
-
SHA512
67b5a4670233c10474e9d388cbd567d46e61125d23fb4ca294d40d4585ff55fef65dee8691a406b8c75395fe95244f8328ec773586cb165679ce72c52f351b56
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8:sxX7QnxrloE5dpUpQbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysaopti.exedevdobsys.exepid Process 2792 sysaopti.exe 2896 devdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exepid Process 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNH\\devdobsys.exe" a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW4\\optidevsys.exe" a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exesysaopti.exedevdobsys.exepid Process 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe 2792 sysaopti.exe 2896 devdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exedescription pid Process procid_target PID 816 wrote to memory of 2792 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 28 PID 816 wrote to memory of 2792 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 28 PID 816 wrote to memory of 2792 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 28 PID 816 wrote to memory of 2792 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 28 PID 816 wrote to memory of 2896 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 29 PID 816 wrote to memory of 2896 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 29 PID 816 wrote to memory of 2896 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 29 PID 816 wrote to memory of 2896 816 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\FilesNH\devdobsys.exeC:\FilesNH\devdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD558d490ae112f8ca92229d810911e938f
SHA1eeceaad69ba15569ff53a568092aca4f5717875b
SHA2569c4f05c69841a561c8623138a52ffdb5b05702b8aea88cad95432dd2d741951c
SHA51213ee4dfd2f85acc9df685c3af8e3a998402154169422ab1a3476a431648fff3da19786aad3a732d73325723b09f3d623f9ed58501a2752877f9f0091f30ce809
-
Filesize
3.6MB
MD5f3610061718960f1ee41d7eb46061725
SHA1568a10c2bfef4bbdd4cc785b79622c864a36bb44
SHA2560548192f11fd60cde9ed64e6503bfc685474d51a2827882aeb74093d5ca2345a
SHA512a44ea16930e35413ab3380dfe3a0bf376d607135f96264552f1214fbeae0cc31a69edb7f1199db7db5257a9b914d676ccd70f32f554d63a5fd9bd51d2487661a
-
Filesize
3.6MB
MD559f9bc992b2a8ab2aeb9fbe2107c0388
SHA122bc93ed8834b26595ed04ee5561cd2cf320e785
SHA256740bfa163df2579d0cf64bab737529ff3c27854d0912965bec2ea2a57863834d
SHA51239284fb651e09fbe1c0399226b8e1b4e0193b14dde6bd72c49a540037ebb9dedb078fba37aee4de87ec0ca5fda6bd8ad02374fe6cbad622f4dc2dae2e10e2211
-
Filesize
175B
MD5d1dff0904a8984a3549a33ba48663046
SHA15a0855418a68801cb27eb478481cc0606898c2b0
SHA25678005de5783d8e7f62bf3a15dd45c97d19f344db5458a51de1e7a405ef2c442a
SHA5123aa512acf83a04055ceb3fd3755a5ebba3beeaf4a32eec2cc5d29a40a74606f8f5dcf04632a8cb0d6d49359802755e51c046f3a6d8cdbd947605c15b32eef38d
-
Filesize
207B
MD5360852f022979609c5317969978c48be
SHA16c1dd03628f712690457f674964e6f0e1d3c1bcd
SHA2565693755ecf5eab27806aaa6562f84fcbfea255cb22d983228f056af4ee2e6a8b
SHA51234fedec32cf010aa1886fac1c43f5b77174402f3391e64408fdce82a9bd48fb29d0d8d7c5fd5cfd46a046104e2674ef60f927391c0b98aca38e3ad4af25b7e72
-
Filesize
3.6MB
MD52aa65e56ae8a96d18f54b6c75bc596aa
SHA18fa3d11f5e301c1ad47d5018fca96e3afd352843
SHA2564b2e20487678cc6420aab78b9815b17aa3ad1cc1ac6bb8edb3364ad8672cc174
SHA512c8ed94b3b7e500a3356b712da34c20a373581132eb79834f1e0b2ddc7b93de7cec386ef226ec443fa89371b96e3813e82c556650d3cec34588210ecbf899e760