Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 12:02
Static task
static1
Behavioral task
behavioral1
Sample
96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
11ae8536e9968d050d0eb53ca7fe8d00
-
SHA1
6741c252fa36715043c3afaf6bdb9687deb08cb0
-
SHA256
96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87
-
SHA512
0f3a3603828369fc3a3323c635ea7a3556b8fdf63fc558e1b8ecdb1fba71ac15a73497fad9ae03ca968338b61b1b9e84b573ab86c1b656735359bd753a1c6f55
-
SSDEEP
24576:NHR0G3bY4R9SslKujAZBZPIn+klcWK8fhx0aA:NyGrY4Rg2KucZLPI+kDK8JU
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 freegeoip.app 6 freegeoip.app 23 ident.me 24 ident.me -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exepid process 4136 96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe 4136 96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe 4136 96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe 4136 96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 4136 96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:5012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294B
MD5f65338ec5df6b979adff236282a43a6e
SHA1770a93e086579658d03423a4cbae0db683f280ab
SHA2566eda780beb79942898191b534ac5443ba80ca9fc1cbb9b4f49979ebdb50b945a
SHA51253bace80094bb50d666b5c175f453862b10a6d6ac94cb6ff4c3e37ddebe036052678c99c19e9895282a48e66a03512c70340874cf85e4c2c8e9c44016a5dc10f
-
Filesize
421B
MD5807f8d4fd7ffd56e13ee1b9734f2b0fa
SHA1ee2a60c91d8730a2bdc2eb38315ea9825300b3bd
SHA2560061bbd269111ebdf9ca784a61d65a55ab387ec7f277d58da1cb46e6c069a554
SHA512705c0e72eda92d2a115ea3ab2601add24ebdf7b85df4aac50cbb25f01db7a1156131741cb690910b64ffd16d98f5b7805486d293f3acd67277c571cc14dafb61
-
Filesize
738B
MD5839d19b1169d708bfa964d558f47b576
SHA12d2083c154e3c3e3d1b7b15202bf65e34084a13a
SHA2563a1a845c87ee92366c9484b2674ff6ff2838e477193ff51ed67ef3c51de68539
SHA512cb7c7f7fc661ef8ba9ebdc45115d9836d833f1e12293f8944b5a0223397489994eb7debe96aba2e42e93ae0e370926c08d73b2af682f46b43d028669d07eb917
-
Filesize
1KB
MD585fdae8888fa4935fa52f166d93c8893
SHA1cc2abd9e7377078a07c85a21bfcad2b53f0e8770
SHA2561012eda63e0782d0157ca081a014ddd71d6d988cec2bc8a1c770f3d215669000
SHA51200b8e3048be7145fcde2ba4d669209212eb9f7a9ee7c379b3806e699dd885cc5c4144e2bfe8acf8e733a4659b3b2f3ab8b76d4b0b4039fe0de618eb8512e702b