Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
aba6ab98809f9dcbd40421dda81925a0
-
SHA1
883758eb2068175968eaa6ecb54aec9699077f91
-
SHA256
8068a13bfa8cc3ff5bd3021c20d7e6c518b10f6d0a2482ca2be131ef400cb436
-
SHA512
49201be6386c146f7a3dff1496468d183efab1da73d0e93e52fab948490a54840075576d75d6f9f7b95d742164a5c51fbaca864c26471f62e9bdd5e054763bc8
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpbb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
ecabod.exedevdobec.exepid Process 3772 ecabod.exe 3028 devdobec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2X\\optidevsys.exe" aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLI\\devdobec.exe" aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exeecabod.exedevdobec.exepid Process 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe 3772 ecabod.exe 3772 ecabod.exe 3028 devdobec.exe 3028 devdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exedescription pid Process procid_target PID 1948 wrote to memory of 3772 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 84 PID 1948 wrote to memory of 3772 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 84 PID 1948 wrote to memory of 3772 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 84 PID 1948 wrote to memory of 3028 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 85 PID 1948 wrote to memory of 3028 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 85 PID 1948 wrote to memory of 3028 1948 aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3772
-
-
C:\AdobeLI\devdobec.exeC:\AdobeLI\devdobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD548a2bfe6d18e9b2809fbd0af032881c1
SHA14f4d596139e17f50ef35c41f705c8db4664fb118
SHA256dff55c7dcec9a669f79dcf5e7ffe14051a4abf04f89b981b5766154fc4c6aee5
SHA51277165ced695b1960197fff977a5fa7b93e26122fedf09b29d80a9de1ac8d5e2da20f8cbb338aefb9f10e546b64852d224c513a2b9f7256c5a087eecf623b68a7
-
Filesize
2.6MB
MD54ecf984e25822b7983abebeab8fde76f
SHA1962877ace2c499caed927d5c40d9d91fc5d36cf1
SHA256476c04b3cf0c17dc1f0e4c2c0b5bb6a3a6a6d4826fa32e49727269d2d946734b
SHA512c3f4a345a3a8f26e5dd6243406f811bcb512d173d2a6c2e417741732fe3eee3a2c3afbbba1a12e5616a3869eae32c79c8e2dc1c6f2c3dec1ff02919187fb993c
-
Filesize
319KB
MD5c0b763213a6ef2b2d6286f49bc7ccb67
SHA16cc83b57671efe2294be6cdd4318b015f76f2452
SHA25612f09ea4da55ce33a2dd96f47369a34fb979e6396d76e5a51e444b50502c844c
SHA5122f73455f19d8a76d5cd3d968fd4a43cb5ea38ac0dd5772ee1e190df55c7072e25f9ff1e5dc4f106aaddc05cead7c74201488eaa5400aa2c5498a90720b87fafd
-
Filesize
2.6MB
MD53b52d04a0e9fe4a464f305453e4bb82d
SHA1c1101796f5e24bd64feb41b915f4ef9b18a7b1e5
SHA2569e7fe6fe7e906fb843721919f7e1194648f3d994fb96af682b8603dc8d681aa7
SHA51214cf14e243718a2884c10e8a109fb5401a0d9fc3f19af7b7a0173b5127d2f88636654dce1b69b3b94e8c2493b50da9200bd5cf4235e937eed4e0601ea380be0b
-
Filesize
203B
MD518f2b012f8ff4c0d45d1edf9975c5305
SHA1ae5af155f54b5843c2e70534d42fca0dc99dd3e7
SHA2564315fac6c192a2aacdcdab7f5236a225d03cb7f537c9b3c001dee15ccb89646e
SHA512cc2ecb06a60ccf495e862b3c8a05f184fc849806013b69e09762fb1b7d27fb65322c13f7fb1d80931c726d1c29b740b0d8238d01a736898417a1eabfa9b957f9
-
Filesize
171B
MD562fb4dc8829041cea82bcfaef63b2906
SHA1d637b8a368e541dd299874acba48cb09a204b21d
SHA2567a7160fbb84b0fbe23d08862b9b8adff9ae06afe250d7052594626c5000d8f0c
SHA512b0a841fa507a31a6ed487b8477b81526466785d9d077c6cbb0c17c203c708f3a5eb70d71d184ea6c4ae35dd8904816e0e57461006483ccf8227d4bf12017bbcd
-
Filesize
2.6MB
MD5b6d6c7a92604203cc1ebd6a101558a69
SHA193654c768fa980d4b54c3915cb3f693c2f7181d6
SHA2565965e38ddbfba855e09620d1257bb6dc19391641b222805bd83369feb28ee34e
SHA512e82118cbdb6ffdd444b3c1811d2326a89c391f3da2d87ce07adb2b2e1632261801b4af8070759250ab6bc78c35ac58cb5c80d650f002c9597e5438ee01bb1775