Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
aba6ab98809f9dcbd40421dda81925a0
-
SHA1
883758eb2068175968eaa6ecb54aec9699077f91
-
SHA256
8068a13bfa8cc3ff5bd3021c20d7e6c518b10f6d0a2482ca2be131ef400cb436
-
SHA512
49201be6386c146f7a3dff1496468d183efab1da73d0e93e52fab948490a54840075576d75d6f9f7b95d742164a5c51fbaca864c26471f62e9bdd5e054763bc8
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpbb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysaopti.exexdobloc.exepid Process 2912 sysaopti.exe 2588 xdobloc.exe -
Loads dropped DLL 2 IoCs
Processes:
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exepid Process 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7B\\xdobloc.exe" aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZ1\\bodasys.exe" aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exesysaopti.exexdobloc.exepid Process 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe 2912 sysaopti.exe 2588 xdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exedescription pid Process procid_target PID 1996 wrote to memory of 2912 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 28 PID 1996 wrote to memory of 2912 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 28 PID 1996 wrote to memory of 2912 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 28 PID 1996 wrote to memory of 2912 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 28 PID 1996 wrote to memory of 2588 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 29 PID 1996 wrote to memory of 2588 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 29 PID 1996 wrote to memory of 2588 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 29 PID 1996 wrote to memory of 2588 1996 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
-
C:\Intelproc7B\xdobloc.exeC:\Intelproc7B\xdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a90cf04bd623e1f090a3fda0fb46559e
SHA1730906136e88664392fa59c47bee6d806d3ca0ed
SHA2561ec32adba6d8eba4cf70f084906b09b89d9d8d58f4be6a76d3039a6f1aeb86cd
SHA512780ea97bae8d8126a411607ba1e6b31736085054d57d81ce3e769aec1a08b7824cccfbb841a1396435e6469f0ecfcdd3fe30eb600ed521723acddc511ef230e4
-
Filesize
172B
MD52a5d7f2d1bbfe8db1a081bf5c6531e7e
SHA1b159e27a7b95d1281d25b5a3a37f1b0851c12cc9
SHA256e41b7ebfc0c0d05d8b06f1506e81c65e4485bc1399c9495b690747f878ef05fa
SHA512b8b5906f6834edf543fb20d812ea3fb81d4d66b1174f53b1cba4a6e7eb3216e602240ce358a9a8692a869d3b055ca33afbfb0a2a9715dfe470ab05ba421fb5cd
-
Filesize
204B
MD5ce0c3fc9c6b69fd4d73ac90483f22ec7
SHA19b88c511ae2ea6f3b257bb16bb113fc1eec0acbe
SHA25695a1caac94e03c2a51c1bf735bd236b8064fe8e6b21a046b3d462e5f10a8259c
SHA512485dcd98814b21d8f14766fdd3a26f70dce08762e8f74142a27a0d38412e6548d932569ce2e8bac61ff80e4d75ce039d8ae3ea47bea9270da7e105260bf337a5
-
Filesize
117KB
MD5b30af74c34a007928f25b3c482d6aeba
SHA1111abb46b79b44819e95067b1b91c24e37f73cb4
SHA2561071a2c72c386796b985c82ce94e08aca150bdd2b9c75c6e6b13e0d9494003ea
SHA5124665dd8cede04b8f67c2e8dcb48ec38fe8c556c5692ffb92ebcbc656f7b1880947d4bd439a0c5906b3c93f0d0c18b3b39c79470d1f510dd5c5fa41152e445041
-
Filesize
2.6MB
MD534376e69347c6900de00bf893fc58be2
SHA1a01870392aaa97ce6761ed25d9d72c10e6eaad24
SHA2564db20a9808ee9d4418b98f7beec03441be4628cdf58bfb11a531669c73878153
SHA5127e78bdb215aa58eb8b991120260b516ee9bdf037459aab84236cc43e0f8f15cf9a33a20b1ce7a5f02e019b5a47f27aa0532949e55282213fc7d35b46d2faca73
-
Filesize
2.6MB
MD5f3783b3649bbba086c2e1350b9ae5dcc
SHA19e9ec753dcdd64903eecaaa02fb0d4979842c1a4
SHA2563197185fc6f31de2ad2f261943640d204d0b39d77113fd709934b7e5853af9d7
SHA512de138ae7021e01a28d1ae90bd76be1eb349c65c3b3f91c5e13b03b10f610e5addcd85729b83f2a368dbb6a921919916d0114a65f3a2293b13b148ac5e13055fb