9eb48d2715d4a2e4f8d8bebc186bb9fce9ba4afd62f53e994e6658e0d604f476

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
Size

2.7MB
MD5

911b776b62705800574c440e802f0b60
SHA1

e2b260ec498f433f59f30e94776eb15d72f5681e
SHA256

9eb48d2715d4a2e4f8d8bebc186bb9fce9ba4afd62f53e994e6658e0d604f476
SHA512

83db847fd2b66358bfc9a8794ef9fa1788ae5480dc0421bd3d399b5abc3962df028024a753a4098990f524793019b4469a41c54c64516b458923571915565392
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpa4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2496	xbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvH9\\xbodsys.exe"	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVR\\dobaec.exe"	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2496	xbodsys.exe
1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2496	1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe	28
PID 1888 wrote to memory of 2496	1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe	28
PID 1888 wrote to memory of 2496	1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe	28
PID 1888 wrote to memory of 2496	1888	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\911b776b62705800574c440e802f0b60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888
- C:\SysDrvH9\xbodsys.exe
  C:\SysDrvH9\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBVR\dobaec.exe

Filesize
2.7MB

MD5
029eaa6ca5495fe39f9fcf6df17fcd3b

SHA1
4e0ed5fdcd1fe7513f713479f8aca121cae9aa26

SHA256
0d9938083241d4d4179a8eb6624a0103ef9248605de7f07ee30fcf4bdd372abd

SHA512
86a36a535f84a107d83dd9c8bb2cc1dccb317e905e62f9ae528413fb0a370b902ff3b5e285f17dc08dbc295a1de8f77882cb156edf5c8116ac6e35c8af25cc47

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
66e8609dbef7dcba67107575ba81003d

SHA1
ba3379f2588ce5383338bae9183bb07249eb593c

SHA256
a255c9de7ed1b5f0a54b3c68c2fd039732c65daa593d3b7a7db88e81ced31b18

SHA512
0bccaf2f0c35e436dc947ec8eef94cfe569fcb06a7719d476bca8fc4877c00434f7568e25e5c7881a9590ed61bb04617a872dc5df9155aa0fa55c68279ca6142

Download Submit
\SysDrvH9\xbodsys.exe

Filesize
2.7MB

MD5
9e27d1d6d30a8ac542d00bdbc9da3a15

SHA1
40b75e2ca21c20e8847ee3774aba017ea594f4d1

SHA256
b8545f8249e933c6a50f24cfce140af5c4513ff4c5ffb46d73ff0e11e0e2a875

SHA512
b7bd7de52b900e1ed733fbc9f648a793388ad85c28ac1463543cf56dedc56228609038b34ac0fe095b63396d83be53568a8ef28f99ebd2f757533c44f2cc9a02

Download Submit