6dd24ac8b34ca269f5ce7e35e7fffecb72f650b355a22a58c8bdf0504e3e0d53

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
Size

2.7MB
MD5

d49f29b1b2f9b0801dc592a7aaedb560
SHA1

ad72c0f2e78e79d02aad7dc3faa9549787526786
SHA256

6dd24ac8b34ca269f5ce7e35e7fffecb72f650b355a22a58c8bdf0504e3e0d53
SHA512

9fd505a6557903c5f07a1b347e773901213241da432be6b6c51941dd22ef9fd10c544ab1b90ec6efa66702b6750886bb720d839112bf4501305fcd295316dfe1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4Sx:+R0pI/IQlUoMPdmpSpG4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZKE\\boddevsys.exe"	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeXI\\xoptiec.exe"	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
2032	xoptiec.exe
2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2032	2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2032	2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2032	2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2032	2036	d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d49f29b1b2f9b0801dc592a7aaedb560_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\AdobeXI\xoptiec.exe
  C:\AdobeXI\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZKE\boddevsys.exe

Filesize
2.7MB

MD5
37fdfddb7350a6e3f2e384dd721becf1

SHA1
425422623c1922e314454df7c57e57be18ca8519

SHA256
2af7c3dca7f0235ac4a35de6f323aff3ab136f2f4d9d359e059067d60bb6d638

SHA512
c7df2809b9eca28cb7c8ac4a564fd0007249bca4dbb516fd48a9540a613ef71f85c2e80519afe200a9cc5f514843b70f3f127bbcc4be6056e3a478e1f21bc01c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
6df0d89bb2eb0291eca4607653a40e60

SHA1
f867a074167c6221ecd1d0ea2f5c3b24ded9965b

SHA256
6752f7d867c17b49d0a6d3ee845fc05e3638afc63b4ada14705509542b417778

SHA512
07ce423c4ee675dbeb8cc122e885fbc0e40e392c3def6d02f621b4582416df7e42276c38426562258868661e4d1245ed722b6b3e946e064bff7b07f11af213c2

Download Submit
\AdobeXI\xoptiec.exe

Filesize
2.7MB

MD5
6e8d57ae67eb59d9bc48e57f827d1326

SHA1
5033a3e0044fca67861030e633da5f935d817607

SHA256
53cdea194f00db5aad783b3683464322477867e64e99d5c950eb57c9163766a6

SHA512
371a7d787e3035422ed45858f38ff95d2e9545f872e97aae929700d39747fe8b651061424e8df39adac5042ee0d2c23ce3b3b451f503cb4038b657d148ce0dc4

Download Submit