fe24b0c7bd91b01d1ad3f792a37b6c0835ec2b2b6a3ceaf75a905fd23ab1cbef

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
Size

2.7MB
MD5

1fe374e4ae88310e49c8e4bf25871750
SHA1

f5feb114586104206e0cf215bdc03426cf7a7a0d
SHA256

fe24b0c7bd91b01d1ad3f792a37b6c0835ec2b2b6a3ceaf75a905fd23ab1cbef
SHA512

3e350628cdddedb9345baa4ce061c96943f19e0379aa2939dd86043e9751ea8fea73182eec322ef7bb6b5443cb9aaa1d4362007407f01c7d78e5e1dd03772754
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot9Q\\xbodec.exe"	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJ2\\optidevsys.exe"	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1712	xbodec.exe
2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 1712	2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 1712	2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 1712	2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 1712	2868	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868
- C:\UserDot9Q\xbodec.exe
  C:\UserDot9Q\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBJ2\optidevsys.exe

Filesize
2.7MB

MD5
367c975198933ca9a26a96f05ff5ad8b

SHA1
4a562202360f8f711a275f37c98b52efab901109

SHA256
7c2f46df313101c0de3886d0e1b2aa2eda5a79ab5f36fbfdf17c7857770316a6

SHA512
42e027b01282714f6905774f1eec1a3ae1ebc6b4a0ede2d76200656de00279f106c915e89f780c31cd72e074f2fe404d7b808cf0aaf1ee40354a935e07e27ad1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
d47e9d6b1cfb4506305993abd5a08940

SHA1
00986d6139fc8e7010917b0fd5b61b539b611063

SHA256
05e5ff6a404e05e4f8ff8abe87df9c0fa62f4d5e733b780e70eea138bc6ead18

SHA512
5bd250424d6d474c960b36904aad3b751b40b34cf9e036e3da8fb5028eeabc5c5a35c2ad652edaa02f6eeb295011f110da4c016b0e4b911d98c1289057ec2b8c

Download Submit
\UserDot9Q\xbodec.exe

Filesize
2.7MB

MD5
e55bd37f11368c3a5686c91208e67b3c

SHA1
0378c495440a531e9993f4fedf0895811015fe3a

SHA256
691f198ac9a2b54357c1f4aa787f39e83a1a5189b332dc79170762bb35afc067

SHA512
3d5a97323d7798511105734bcd8c3063cb7ef0e60ab8dd77279e7d3bc8059ffd5061078217c7ab3add58d8a4c6258988a3e3a3b8704dcac27431f4ab8ab65aeb

Download Submit