68577bd8770d06d1a09864539cc0cff790600a90468fd6eb191fa72ce11c4986

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
Size

4.1MB
MD5

9e2b174429ab6c32df76e0c64a99b3a0
SHA1

6523a64a07eb482f10b8dac869bd2e006c287767
SHA256

68577bd8770d06d1a09864539cc0cff790600a90468fd6eb191fa72ce11c4986
SHA512

4e67651884adc01abd0116fd98abbfa64eb53dc49105f5cb37828b7ce9a8845d58468d3f4e3fbcad304e148e1763d814bf2dc4d7b59eac18d0060bb329525668
SSDEEP

98304:+R0pI/IQlUoMPdmpSpe4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmV5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	xdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotOR\\xdobec.exe"	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVD\\boddevsys.exe"	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1680	xdobec.exe
1680	xdobec.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1680	1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe	91
PID 1536 wrote to memory of 1680	1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe	91
PID 1536 wrote to memory of 1680	1536	9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe	91

C:\Users\Admin\AppData\Local\Temp\9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\9e2b174429ab6c32df76e0c64a99b3a0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536
- C:\UserDotOR\xdobec.exe
  C:\UserDotOR\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBVD\boddevsys.exe

Filesize
23KB

MD5
14ed38654f412fc799d92e4c3ac4ab4c

SHA1
b46d068b8bc01faa17db3972a9937e1e8d63703d

SHA256
07604f5f02331392f17d49a573bc8850c01edb166350d7d77db5d74867abaca2

SHA512
dbd3f47f0c092e5b9f6daa11ce9cde0ac03fa180eeace2d807d474daa5e71ea6c548e9fc67e10345f7e9427e42ab2e7dd2d0778743b46616387888fa87616849

Download Submit
C:\KaVBVD\boddevsys.exe

Filesize
4.1MB

MD5
2fad7517eede5e9b70efa692b370505b

SHA1
4ec8e4de7b61d09f88a1dc95ff80ae7cb8d55213

SHA256
02ababa3e6294c2eee1fa19ec8925703a2578af4f8fffcd1fe1b3ac8e27fbc6f

SHA512
5dd5f899390d765ad93be3cf2ee01ae2019cff853e07dcfff8c47373c36304e0faff7e59cb99081fd8afb773767f0369039acbacf3b19ec2afb792bd6ec1643d

Download Submit
C:\UserDotOR\xdobec.exe

Filesize
4.1MB

MD5
668203a8a8ba2933878204440f51d2be

SHA1
7d021d941f257b2178248d9d7b32313593c50022

SHA256
8e33da23c350fa79f6dc141b8a834aa5eb7929d75028d5ae31dc85bce7562cf2

SHA512
b163209dceaf382fbad3ab5f208d674f0c02bc4d999966ec148f3023ff82a0f44d1a792538b42a51e7231d57c0079a1d2e6695e513f2d8ff3452a3cc28ffade9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
8d59120cc9ba9e14ff6cbaefdd1b686e

SHA1
3dfc0fa15cf04da3bf279bd65e251ce227c59602

SHA256
e7d04dfe0573478334923f4e811588acc8fd0228bfbdfa2be63ab788743a66e7

SHA512
c94a82b5cbcb078809dce2c832784551578efd2ca31dd9cd976a67e7faf2dfec27418385bbb75b9dfbd2e5814ec125c0253220ce330e289f40385a28c41289b2

Download Submit