912648c11c9c439f9ff989fc0b44e607a58c446ae88057b49e4418dee4f852e8

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
Size

2.7MB
MD5

59bba8f5a68b0543de216f3b7bcc8ff0
SHA1

fa9b56386a14e4da6e8912f5e442a22803de204c
SHA256

912648c11c9c439f9ff989fc0b44e607a58c446ae88057b49e4418dee4f852e8
SHA512

23863ba1c4a7e2d168c11f0089070e7a651caae50ff81fd9500c2bb8e479fb384f6ccded4616618f6e711fd09c64ab6f009874669edd12923f762bb67d5c6308
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBT9w4Sx:+R0pI/IQlUoMPdmpSpb4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2412	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1X\\xbodec.exe"	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB15\\dobxloc.exe"	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
2412	xbodec.exe
2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2412	2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe	28
PID 2944 wrote to memory of 2412	2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe	28
PID 2944 wrote to memory of 2412	2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe	28
PID 2944 wrote to memory of 2412	2944	59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59bba8f5a68b0543de216f3b7bcc8ff0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Files1X\xbodec.exe
  C:\Files1X\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB15\dobxloc.exe

Filesize
2.7MB

MD5
34c6c6e442fe90af995c76b97c2d8daf

SHA1
9c7710bd894550903286121a27bdcc511898a4ce

SHA256
7aa11d42dddcb49749fc1ca6a5520a17c98a3318e7e9aa8f27c1c752e5fa4fa6

SHA512
f10ba03590d8d7badeb4951cdf5696931ce252199d547398461b3c94b7cf717c90ff1b31691a0b3847651ab20eb4f485cdf9f906498de80b07763c4b1e2b4269

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
7167264e77077e0dd74b3d74be5c0485

SHA1
d13b14ac370d70f3c3bda8b5cbeb6ef02696fd30

SHA256
dfe9616a130144bfc76eb7d8c1d4f082a4fce030cc004828bf2bb88597bd3bc6

SHA512
86cbafd4467b3c514f62352495a311df0392449daa5dbb43c6f40001807ffef5c2a4f538e061092f44a43075336522a7c3a873c7168730570d3a6f134e933cf5

Download Submit
\Files1X\xbodec.exe

Filesize
2.7MB

MD5
7bc2d7dbf6ceac67a2c6b8d800992f7c

SHA1
d95d758bc65febf2305ea36b3e3a04db1a0a1147

SHA256
2cfa1be5191936da0fe0058e10b79e7c32b7853033a42fdc2c5f22a4b4f32473

SHA512
b1a8f73a9f9ade6501b4c7b3c0bc1d3b1563c4647dc5141b3630b0b49d65ec7f49ff837c98e69d45a852171c1cac7b3b96805153490657972304890c22aa00e6

Download Submit