8f343e7c8ecacb28b83b2fd4a4c25b8987159749c09c40d1ddcf0d9aecda1fe8

Analysis

max time kernel
149s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
Size

2.7MB
MD5

52281e3c463d9b03a0f7dfa706a4d640
SHA1

9d1db538e1bfda436850d04f4e23cb8fa435871d
SHA256

8f343e7c8ecacb28b83b2fd4a4c25b8987159749c09c40d1ddcf0d9aecda1fe8
SHA512

e630b080346ddd687f44d6432a4ca5909c8d681a953fa21e3541714ba05c66ff6af8e184b6318d5fdc1b4f2a6ceaa8353233bef8b56677c55f6af9ad1bd1f586
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBN9w4Sx:+R0pI/IQlUoMPdmpSpp4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3928	xdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc59\\xdobec.exe"	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKT\\optidevloc.exe"	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
3928	xdobec.exe
3928	xdobec.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3928	1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe	86
PID 1916 wrote to memory of 3928	1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe	86
PID 1916 wrote to memory of 3928	1916	52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52281e3c463d9b03a0f7dfa706a4d640_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Intelproc59\xdobec.exe
  C:\Intelproc59\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc59\xdobec.exe

Filesize
2.7MB

MD5
cffbbbe1418cbb43f33ae45f948e7a4e

SHA1
54f5ce7f965caedf3600c7d193701d726140d61d

SHA256
0640d74fb939d0dda89e07e4a2f23b014c2f49e6eba3ca9f0f568581c49c37b4

SHA512
89db2de7c26b2d6f1b64e1e7d81709b18c1be1d350e6d34660b4a68161ea069afdb8d1ce831d7a0cb68d2f6df309940d0a1f4107ec4cbe5917151e53b393953f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
8cca286603a1591af56ba64ff08d68b6

SHA1
5931f519840f630148a7bbf3df4370e605d03277

SHA256
3cee4e083cf98e47531e9abde0dcee59cef052b7ec4d5931c0cebf9bedfc17ad

SHA512
f32eba8c674a71f0aee487269f25a9ac258beb62483e23d53873d1ec227220fd70b941878ace27322c038d0cdfa10ec17518b32d670088d097fa17eddbc127e7

Download Submit