02ec9b08157a3562672024ad0fd57dc8d47bf3cb083a0eac573e7ffd7455ff3b

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 10:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
Size

2.7MB
MD5

1a4ea75fab35867a8f68f73fdbe1aad0
SHA1

50b9c6d48652dd8ed7889e0b46b7253f3f074e2f
SHA256

02ec9b08157a3562672024ad0fd57dc8d47bf3cb083a0eac573e7ffd7455ff3b
SHA512

e135812e25aadb0e9cc6123711c4d91db20f93c8e7d52ddb6c9641b5e1e7f9ad88f6d78072d0035778be1e0b522fa056e7022667a96d95ccc8bd4f841da0cf92
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBh9w4Sx:+R0pI/IQlUoMPdmpSpp4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	xdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv0O\\xdobloc.exe"	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7A\\bodxsys.exe"	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2484	xdobloc.exe
2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2484	2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2484	2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2484	2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2484	2172	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\SysDrv0O\xdobloc.exe
  C:\SysDrv0O\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB7A\bodxsys.exe

Filesize
90KB

MD5
24a68904a7e36b885be8e540a781aa7a

SHA1
677b59b3edf2da9aa7f2bdb0d36af284bbad9681

SHA256
203838974fbf8ac59260a71f573c798a764da2c4b4f51b9fd8c89c0ee7cef45c

SHA512
1c936660ea0e1c3b356498dfa4ad7cb6e93954bf18d8397b0f082ca5f781934f33c3e9a5d9c2ccdbdaf81344e48f18992e0fcc7781c9fe0d57e19b5ae1bec8ee

Download Submit
C:\KaVB7A\bodxsys.exe

Filesize
2.7MB

MD5
6b5bca43e15134fb526e3905e62d8014

SHA1
bb63f4873d3e7d4b2eff921375dd4eddd3e6552d

SHA256
4efd9dc707c8878698f1493e9a0c5fcc5db0ad50c2a8c28af6efa9e9306b5aed

SHA512
13e02cbf0fbdfc6c5d265c6d4e65438eed9b77f913aa5630291cc38c3d9524aaef2edee13a63b1a5f4e33de01bb45c8555e43360473b9a466b76a6bcc53625a4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
c439d434eaaeeae256033cf13b8edb10

SHA1
f0645933e37429d997e25f0bd8200bf0ee0d8ba9

SHA256
b8d2908075cb12d90a0627104865feb90adbe7d6c45d253296240e4a152720e3

SHA512
f3f2dbfd54a084ed99c633f0f1c00d3d841a55d4378b9ac8b891ceee2295a80760aef0d3b22971f23754b0b70f503b8ef65b170ca5ad6dd7c8ee2fc56927713b

Download Submit
\SysDrv0O\xdobloc.exe

Filesize
2.7MB

MD5
bf5204082019123f70f6c2191b83f025

SHA1
a99f5f6d3a81fcc8321655ca25f218be409fb759

SHA256
f275fbc82d549b47db770e09b34899213a1e942bf482a19e04e6d138d232b2b1

SHA512
e86975a46fe06df406c92f5739cb5bafaef033ba198a36548401700a9ff6376765e2bbc3e8404a0166405cbb6d14cfc178f7b4741f4b0a5da9e7089ca8b856cf

Download Submit