27e562a61b8d9aa88bc68d4a4b921a3d33eb5ded24ae5c9480edf1fd6e254613

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
Size

2.7MB
MD5

a26d7aafa721b4031fb1eab67254e780
SHA1

ba42d28d44bb9738d8bce54bf7e949f6aaa2411e
SHA256

27e562a61b8d9aa88bc68d4a4b921a3d33eb5ded24ae5c9480edf1fd6e254613
SHA512

039fad0dcc351f61f4c98a5e73091fb60bfeffe01a7c006b8b71dcc90595534a5032547c2cb5f654710a08e9961076a518a371cf873fcdc29a7b74b012a0b838
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBS9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2292	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotET\\xdobsys.exe"	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCZ\\dobdevec.exe"	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
2292	xdobsys.exe
2292	xdobsys.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 2292	972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe	89
PID 972 wrote to memory of 2292	972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe	89
PID 972 wrote to memory of 2292	972	a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a26d7aafa721b4031fb1eab67254e780_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:972
- C:\UserDotET\xdobsys.exe
  C:\UserDotET\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBCZ\dobdevec.exe

Filesize
2.7MB

MD5
96ec73d0b2c13f1d60780596fb12ab46

SHA1
847cf1308735e0a42ba6bc547806da69964ceaf2

SHA256
92576bad13e96fa0fdc3b8e6b6257db2a578641d0c626a695fae56f2bce30e45

SHA512
18a8e145d6c8e79afbf27ec266a45faf630498b37855424eb628458cadf89c79343aee05a2ea12e854ac83d42286e485c5cf5fb971e986353c0838e59a3d908e

Download Submit
C:\UserDotET\xdobsys.exe

Filesize
2.7MB

MD5
889fcb4be74f65f46e62980da8b27825

SHA1
faccde0774b86b765f5f0c37465efe95afcba183

SHA256
c1c82f2bca06b503bea946c50fa536542f75b7ccf5886b3e3a970266c181f0f4

SHA512
d8478c27d8774dfe17380d1fd1667285af1053701570ebdd5290f2d332f82bbdf79819e391ea33cda24c1886b2c4922b7336373094f88a7420dde91ea810c1b6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
5bf31b7a0134353373695fdea84018c5

SHA1
7676c7a7001601273e8baabbef3709e5c3178616

SHA256
1ae8ca25e5cd8d94db3efd81be5eb5d623fbee6e96bc7b837c6a89867d43a0b4

SHA512
667b0e3dc7d81c9577412ea80396f97da5f843ed20fbc78b82dd2180725e726fda5469a91bc826ab4756e058375aff146a46ac5d5decdca5b034ad08367bbb4c

Download Submit