4dbfa112b7f9739b40c8763d8c5afefc81056ad633bbc6a9e3b1e98ea872f74f

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
Size

2.7MB
MD5

1ecd5b3be63476eb9e9ff07147848980
SHA1

23fd478a63eb0784a50b5abce1bd498cd4e01ba2
SHA256

4dbfa112b7f9739b40c8763d8c5afefc81056ad633bbc6a9e3b1e98ea872f74f
SHA512

d1048b17b8e8b2fdaf48b7a342b86e2f01bc4aa1c650ca4098ab4966422aad3c3147380909e8403941a543a614265e2ccd766a9b514f086098f68d9229b7b91e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBv9w4Sx:+R0pI/IQlUoMPdmpSp34

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3616	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLR\\xdobloc.exe"	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMT\\optidevsys.exe"	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
3616	xdobloc.exe
3616	xdobloc.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3616	1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe	87
PID 1976 wrote to memory of 3616	1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe	87
PID 1976 wrote to memory of 3616	1976	1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ecd5b3be63476eb9e9ff07147848980_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\FilesLR\xdobloc.exe
  C:\FilesLR\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesLR\xdobloc.exe

Filesize
2.7MB

MD5
cd0e19efd67aea8de6df69e09745e9a1

SHA1
3ed75d395228c36413f3d8989a8fadc7e04eed33

SHA256
579ab01303122b718fbce664a804be566988a2b324495f6400a88be4b206490a

SHA512
a4ac19c9ef861a6988f7479d9e020ca2e889059ef6130f68564dc2ae46b91e1f3b0a88abec0182ad4e74d651d403b66f55f727f51029165d67b5df1f55c82c38

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
1ab28b46f24ec382a4f12a5f774d146c

SHA1
78ecfd45df7ff1cdfa6ef5308d3baf82be8bd81a

SHA256
fd494ff5a76014e7a0db790f7bb78eec704cb4d167b3fab504cbb71a4211d69e

SHA512
75ec8c14bc89f493d145b7122aad8545691bff82687fc6af5f8be95532992e9930fd0c10cf45d1785d1bd919eb646258b4f34cd43a802a10c8a51e97aff8b775

Download Submit
C:\VidMT\optidevsys.exe

Filesize
23KB

MD5
a6aebd29ccc988545c49a93b8c422fc3

SHA1
70ea713ca93cc992d63d7aa2c8d1d01b6a3b2db7

SHA256
40b80ab3b88d64cd22cff2360518a0a47a400c092cfbee5dc3326694053ab7cd

SHA512
2e5635e4889783c9097ea9ed53b511562b3ce26e035c1551929223efb99aa73df73adeda868c6d0eee35073e6aa6814f965dab5e70a699a0f3951085ebea0b82

Download Submit