9e902eeec1e4ed3a91615aa99fcfcf9288f387596a391be729ee7a8dc4d6b80f

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
Size

2.7MB
MD5

3c2be3ebb9b0d9c1faf5cce8b80453a0
SHA1

823365f39335cfa6ef0e4834a600deea2b05c520
SHA256

9e902eeec1e4ed3a91615aa99fcfcf9288f387596a391be729ee7a8dc4d6b80f
SHA512

a810d4ca9abfc88bceeb91709df3403a4c15d36a529ade3f9b42e2a9b33963d0628fa5d04c629dc59969d7f4272238f67e2f23caa0158bb10f11f7854af360c5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Sx:+R0pI/IQlUoMPdmpSpR4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1664	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPR\\xbodec.exe"	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBX\\dobaloc.exe"	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
1664	xbodec.exe
1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 1664	1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe	28
PID 1844 wrote to memory of 1664	1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe	28
PID 1844 wrote to memory of 1664	1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe	28
PID 1844 wrote to memory of 1664	1844	3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c2be3ebb9b0d9c1faf5cce8b80453a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844
- C:\FilesPR\xbodec.exe
  C:\FilesPR\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
a250e97af2501d0d87a7628398c716e6

SHA1
6e0007a54f3200148df7d37755283a631832b55c

SHA256
e263030a1e85890d7a156bc2cf43edb891205c30155b790c382e478115147d52

SHA512
3e18c8f120f662804a3ececd969c05b1ce978d11e48e8889ba32921073a40e6d7d03d32467fd0e2060a20b2ce31e2c29de64fbc16b1f976ccfa73670e3b62f91

Download Submit
C:\VidBX\dobaloc.exe

Filesize
2.7MB

MD5
a827fce645e73e7e5fdff161dfc8bfed

SHA1
45d813382f351cc4b0d3ec5a8bf7044d468d53ea

SHA256
fdfdff36a4fd68e7526358bd67f535ff050cad61a972eab54b2fadfdd9ae47f7

SHA512
fdade0bd1c1b4e113a525e42eda04d4359bc92f60d8f2a3a7c3af2ea46e65d86e9a5529cc7df9d088b431388741bb39da1e4ef70ddf7474f1f19f788a5e22dd5

Download Submit
\FilesPR\xbodec.exe

Filesize
2.7MB

MD5
5fbd0a380774877c4d6abf9b459930bb

SHA1
2bf9a1ce49ed05076c51426bffdf1a8accc0cdf3

SHA256
0a5325a8581f6c301fbc19cf8823df92bd21d3aaea6f3e9f9e402753a6968eae

SHA512
4411b1fe21be87cda1496ca88e411da64557b48180208cef59a4533a65a0e0bc2976181a6b47366eb458594de78f4df6ff76abc37e7992e47cafb7d5fe5e13d1

Download Submit