15c71ee914a25dc06ef41f6f79186a4252b2c678d6b12390a09e868a86d19733

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
Size

4.1MB
MD5

1f3d8dbdacef0182fb7cf9fabc164e50
SHA1

53f19b7d4f52c2cc64243c1ecdf4d6d16ed90f33
SHA256

15c71ee914a25dc06ef41f6f79186a4252b2c678d6b12390a09e868a86d19733
SHA512

62dba28f9183f2d4c1d6950cf2fdacf22e8c9e622d4bfac8a05bd4871f6096fa90762da1627352013c7707be64d5a6aa26d77b25dc65d198ddc3f634460ada86
SSDEEP

98304:+R0pI/IQlUoMPdmpSpz4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmc5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1124	xdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7Q\\xdobec.exe"	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1F\\boddevec.exe"	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
1124	xdobec.exe
2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1124	2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe	28
PID 2756 wrote to memory of 1124	2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe	28
PID 2756 wrote to memory of 1124	2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe	28
PID 2756 wrote to memory of 1124	2756	1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f3d8dbdacef0182fb7cf9fabc164e50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756
- C:\UserDot7Q\xdobec.exe
  C:\UserDot7Q\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
e5892e8b75f91673b052b6334b2fab9d

SHA1
dc92b6f42b2de5ede0a2f468fd3b201fa58ced4a

SHA256
07bdfb2c3b5aca691e43dbb68d57093bc07e848b59650def00f1cd3f86b75249

SHA512
ce05fba275af2fb778a5c664e42086f79f5758af40e8a727391d45880d2f54a9f99e0d03a1cf986fb42e1e5c2ff0483b35fbe1d1fdc498b2dcbc6d0fba47757e

Download Submit
C:\Vid1F\boddevec.exe

Filesize
4.1MB

MD5
4c9bcc39a3017bf1a9ea2ec31c5335aa

SHA1
17cc2c339f80a8d500d13694a30fe5a2bbc4133e

SHA256
aad38682806b6560e992c7f126654784a214998658de4df48b99ce3e785b89ef

SHA512
b8b710ccd82480bfecbdedb473b667a2c57a7a718d49c1898da27115aaf8bb6f748bec0fd0700b833bab7d683acd8eea32258c22219b993df512cf218581158c

Download Submit
\UserDot7Q\xdobec.exe

Filesize
4.1MB

MD5
e1170461e5e02de21bf27ed9a20a3ffc

SHA1
0cab903525bb9f6ae8f1406e37155a6679e43ee2

SHA256
98cd156c1ec081023a7bc6d0646cb39fe5d230ed75d7325b9fba63cb9884e658

SHA512
6589aef05ee21ce6b4627e756d5e99ae9fc7abd41aa62ee9d5f43099ce3bb0ac667d337e6b03b3267c1a173ed25bddb37c984470b78142e80a44abc5bdddaab7

Download Submit