f7485cd126f9197f4f17a56e1a2351e1ba53e0fdc4e9127e0b2d43da34d3b75e

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
Size

2.7MB
MD5

c3cafef8a75eb774228d5e1ce648bce0
SHA1

9edb6e79a9eb3373855b8dc40a9d6c2e7b438a32
SHA256

f7485cd126f9197f4f17a56e1a2351e1ba53e0fdc4e9127e0b2d43da34d3b75e
SHA512

ae4309077784b2a6e02734d2a21d4973f4e628eb0e4b1ad8184f3af421aeb7272a4384fabfa0dc35b6561b4a83f80028636b441cf1f4abedd0865cd5d4deb62d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSpc4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3376	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5I\\xdobsys.exe"	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUH\\dobdevloc.exe"	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
3376	xdobsys.exe
3376	xdobsys.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3376	4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe	88
PID 4600 wrote to memory of 3376	4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe	88
PID 4600 wrote to memory of 3376	4600	c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c3cafef8a75eb774228d5e1ce648bce0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Adobe5I\xdobsys.exe
  C:\Adobe5I\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe5I\xdobsys.exe

Filesize
2.7MB

MD5
322c143f74ff5e0bff4a21ddffeb64e3

SHA1
f0b44d7c537df297baa89dfffa7e91995137f571

SHA256
e3dab806f15d0ee4b1c679d92202177d91bb29fbf79d985e804411776a3349ea

SHA512
3026b6b80a1449db31cd4b53cc4a1fd41d1be4337fd0e587e51404e6862c99da761a9ce4593a5ecdb8afc37e41bb1ca4864367177dec6a50f67f14ed92a7ee79

Download Submit
C:\KaVBUH\dobdevloc.exe

Filesize
2.7MB

MD5
3eb35df021e81eb2d064fbc25a437560

SHA1
cb066fe97b7fb9e6a03ff296493f770ebe68904d

SHA256
9a69a415b933fd80ed6bd20aebe2517cc8879478f61e2c523465f1e462a0e6d7

SHA512
72d4e8db94c99e02b0b881c9314880412042e1ff01cfa12045b468c3e40b009deb0d1b243266c045299f29f45d013c56bf649aec972a5232894225d933cf394d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
10c7d8b91e023bd6ad85a3171f562a1b

SHA1
c7a60cb88e7d3d98a9e6b40e35f0d606d069e507

SHA256
b072b80939d926624c8e31c922a0591ce8a37c524c43136e3e8decfc968c6ecd

SHA512
efde950f69f3813cf9dd84fa929e787168854111212226304ceeb739fc0faa29fc712d250f12012ee47c02aa57d15057713ac7a828bc9fd6f57cdf3b0ba2fa3c

Download Submit