Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 06:41
Static task
static1
Behavioral task
behavioral1
Sample
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
a9f5ca7ebb7f8249faffc03cea8caec0
-
SHA1
c733f0d2e3efcd2921e21acf25daac936ebfc3d8
-
SHA256
d79c4c4d526bbe186769da5b28e847c6fd0cf5a3f6439037ee850c15a48e3fc0
-
SHA512
67b5a4670233c10474e9d388cbd567d46e61125d23fb4ca294d40d4585ff55fef65dee8691a406b8c75395fe95244f8328ec773586cb165679ce72c52f351b56
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8:sxX7QnxrloE5dpUpQbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecadob.exedevoptiec.exepid Process 4300 ecadob.exe 2692 devoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBF\\devoptiec.exe" a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxSK\\bodaec.exe" a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exeecadob.exedevoptiec.exepid Process 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe 4300 ecadob.exe 4300 ecadob.exe 2692 devoptiec.exe 2692 devoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exedescription pid Process procid_target PID 624 wrote to memory of 4300 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 93 PID 624 wrote to memory of 4300 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 93 PID 624 wrote to memory of 4300 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 93 PID 624 wrote to memory of 2692 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 94 PID 624 wrote to memory of 2692 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 94 PID 624 wrote to memory of 2692 624 a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4300
-
-
C:\SysDrvBF\devoptiec.exeC:\SysDrvBF\devoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:81⤵PID:3224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d6f9d74b2613cd1c0323afa671e9857e
SHA12030660277a973271324c4027cc8175196d58fc8
SHA256e99211329672d48bd212dfb3671fb1f5a23fbacd92f5a6afddbaca116c236257
SHA51209046d06988f0f1ea1bd0cfdff81553c8e3b223a029f06fa40e97586c107d394a188eb269fa30a82ecb96abe0f45b39a48f349f2a5af7fa7a7a851966213f634
-
Filesize
3.6MB
MD57d8fc219cd7e52b50a3382dee3388ea3
SHA169d67251951b0ad0898bf28882977c92cdfdf97a
SHA256d81ddce14eccceaf866eac9274774f6c46e75fd29c16bf32ce1115b494149a2c
SHA512e50caf5a0078dec7f44b93c34f05e8bc8b78427b85f32106ec7b864c376e81065d70fce34865abee587fc43a62c632f3394bf75c6cd54034cdeb243ef74806fe
-
Filesize
3.6MB
MD57004ea328c7b101287e2456b4e333d73
SHA13b7887fdc7cdb58e7ffe2532576e3f008b5dc783
SHA25666c2aeb8eda8c2d068ba31ce6c0b96b19dcc77370fb47d633d7b0e563f1472bc
SHA512f8d29d10bbb5f33d905f89ed33277d272b772411f0789641fa17c4f835cf29c074eee0eaf89c1dee0677fbde80fc702b9a153900fa736fd8b01629ce79cb37bd
-
Filesize
202B
MD5c3af3a767cd1530ab978f92d5cc310c4
SHA15262a31189f9a7cb1781612992badf75db0e8944
SHA2566b711be347e28b9e43fc25e534e50afc4fb55a846a0198248efe7525cd436a5c
SHA51282970dd2f5ef4d1b63b6026b02890e92df7544b047f897355bc8b8e196b2eba80a0435fce8ed720ed1488d36af0a597d85f2e5a320f09ba1620a4bb5d286fd57
-
Filesize
170B
MD53e56c615370603e664731d73f08f7b66
SHA1520e770ec18073b3af9d893df78d42deb743b0bb
SHA256bfe931248856e3a64c32d4d54599dfb6b81b89754e056735a6ce300d7d432e30
SHA512acb38bac51af66bbef06d17c90049948a736bdd3fef2fc318932687c88f4e75612ff1ceb2f697d0f84901fbe7d1131439ca76d1ae479bf0007250976d3a708cc
-
Filesize
3.6MB
MD58a42cd690db90e12b428154c1b74db0e
SHA1a47371f4eae7f17901bc98b6da162bee047c7b52
SHA256416e9a092655bf9b3bc38177d4d5d34b445129fa10118ea540d896cad18b8284
SHA51210063c423050075c05769b98a0a69e5f32fd2822dad24a48a089333edc40101b27039e249aacc6b37e27b055436b0d2f868af3e08b0fb7d1994a20d2808b397c