0b2f0869b54d9ea62351f035540a7a612fe680ee9e8d82b4ae2fe5af88cfa344

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 10:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
Size

4.1MB
MD5

7c2e2db9209ad16b89269d6ec8aec320
SHA1

0506161bbbecf8d4acd643236132ba3630368b96
SHA256

0b2f0869b54d9ea62351f035540a7a612fe680ee9e8d82b4ae2fe5af88cfa344
SHA512

4b75b79452af3797c24d5a9b7f9ed9395dcb8e9e765206f9b27303ef3a5405442e25f4f02d45f1a4ebf8a403908e6576b8ab8155ac9ae82ab37e5e0aa85da885
SSDEEP

98304:+R0pI/IQlUoMPdmpSpG4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmJ5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1480	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPH\\xdobsys.exe"	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEW\\optialoc.exe"	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
1480	xdobsys.exe
1480	xdobsys.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1480	624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe	87
PID 624 wrote to memory of 1480	624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe	87
PID 624 wrote to memory of 1480	624	7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7c2e2db9209ad16b89269d6ec8aec320_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624
- C:\SysDrvPH\xdobsys.exe
  C:\SysDrvPH\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBEW\optialoc.exe

Filesize
256B

MD5
7b3cffac7066949173af9dec430e50ef

SHA1
4c7dd08e8b1cbe82c512820c7053bd053b06d424

SHA256
82e8f656f8eb55c46453962cd11965172a5564eb82c56788f85f83dda46995a8

SHA512
23b204cb0e6bdfb0aa9170914f3a82b60f8ddda4c76fd13b8df933d68165658435a634f1fa5974cde19cb1ee82cc61a4618c9b581c7ae6d0dfb43223fe6e8151

Download Submit
C:\KaVBEW\optialoc.exe

Filesize
4.1MB

MD5
a26e4a310d3bcaaa444bcb164b8362ec

SHA1
0545bd78e8076018f064ae5b3bec2cdb46f244cc

SHA256
e6fdadc49e1366e3c16184a61ad0c74b9215cf2b082b1c378712d93c81efed83

SHA512
9e63848bc568a967fbc62ca2cfaf6b768ee1626ff7453738202b247321e80f59b969502a55764c84b152998badb1c251d5be1e7d6f5f37fbf091a9f7ab4c5f21

Download Submit
C:\SysDrvPH\xdobsys.exe

Filesize
4.1MB

MD5
7f1ea9c0b5ed24b8e233ce923b31a9a0

SHA1
fd4e23d08316cc11f94842b76921b852c93c795e

SHA256
f6d4fd5f04e86aec7976186dabb210a1ab987f68a91bfb1778e3ce007de8b19d

SHA512
305c2a67d914f86c4cf92f53c9ddd8dd0f8bdddc4f6512c8643f092a8b3e28f765855f088c60befaba9d71b35cf03c275e704054dfd570a7257e9b6eedd1184e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
8b7b507711ce6c7994287131062279da

SHA1
c8ae57f21b64f53e21f1fb36a5ff8390c8d41931

SHA256
115262799b988272f2f410c63c9990172c233b4096a6ca3989c42ba2280c3775

SHA512
a83e600641b7950aa08da98838269915b6e595c312267696b1cedd546f1100ff21b1f9b11238e76c8b85175563495de18dc3997090dc3a3c94606ef8beca1212

Download Submit