c9b7499326ad7aab845b5d89d60c988fa17aa9b3c0bd0e1b67e709cc0479a6b5

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
Size

4.1MB
MD5

0de15ce47d006973d19eea7c9fee7c00
SHA1

0e6b5afd4c081507e5b481b94622e6f771a26de8
SHA256

c9b7499326ad7aab845b5d89d60c988fa17aa9b3c0bd0e1b67e709cc0479a6b5
SHA512

bf4338e1f2d32580c4250789880201c5033b31378966980a87e63510045807d1767cf89b9a9bc984ec713d2bd65206ef0d822d1fe61f33fef8888a7362f14b04
SSDEEP

98304:+R0pI/IQlUoMPdmpSpl4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmy5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2224	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHK\\dobdevloc.exe"	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ8\\xdobsys.exe"	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
2224	xdobsys.exe
2224	xdobsys.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2224	4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe	84
PID 4468 wrote to memory of 2224	4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe	84
PID 4468 wrote to memory of 2224	4468	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4468
- C:\AdobeQ8\xdobsys.exe
  C:\AdobeQ8\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeQ8\xdobsys.exe

Filesize
4.1MB

MD5
5124ee8a088e605d72fd2513c253dc77

SHA1
bcbf065336ed0c786583bb848a1d4d8e2fb399d9

SHA256
a156449f637911314715f7d440cc6f0bc754c4035518538e457d908cbcd9ba2b

SHA512
cf99f966c949da46dff6d7a0c686fa37ce194ae918e8ea895ad1eac003b60a15d6421c613231bc85de8176d2cd39135db7ca6cea33d08b25074c1ccad9dd9ce6

Download Submit
C:\LabZHK\dobdevloc.exe

Filesize
4.1MB

MD5
1ad500dc4e359d22b38c495f61f7623e

SHA1
478c5fc7024c94719c95216c9a52b222fc05ef72

SHA256
2db0f5699afb3adfb42f38c25f5c0a6a225846a26cef279a2637b0c05bf3cc01

SHA512
e9cf0506dcb276284e2866d7f2348fae19a1063e01137409e23f69f72b86748af5c4bcf45eedc2c6a2ad814be82c2b8ef473ed8dab1dd614950289ebdd21e7df

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
129818c199404bee264fc0bf0caedb7c

SHA1
8af2d5c5af552fb348192fec60af23e69650072f

SHA256
70f7d2c3303b8e34cf0a6c1ba8ed8a43504544eb46122c94c5749d16943da3cf

SHA512
e3260e3e34f8f41fcb2fa0a005738c1f79e56b9e77dedc048c2af17e0880724c24d67cc97d796bf3c31aab2a47f93e3b927ae9857b8d8f39c72b029744b5dfbb

Download Submit