429fb199a24ea7d5485aa0763f6a9e8d97cd373640bf273f52cd41db62912643

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
Size

2.7MB
MD5

07977a4c6cac0605de1e5a597d8c3d70
SHA1

a5f1f910d92d20be4f1c24b0814638d6ab5c57f1
SHA256

429fb199a24ea7d5485aa0763f6a9e8d97cd373640bf273f52cd41db62912643
SHA512

476845c9d4e6426ce2411d4833f083828eba1b7026ee904a9cd32f20397b856bae423fdca04c328bada31af4555c2b10e251a540aa1bc929707c521f8390f9d6
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBW9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2692	xdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTE\\xdobloc.exe"	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintVH\\bodxloc.exe"	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin"66 ':'"5'3\4-"\)8595,:"\4*5=9":'8:�+4;"85-8'39":'8:;6"locdevbod.exe	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
2692	xdobloc.exe
1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2692	1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2692	1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2692	1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2692	1720	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720
- C:\UserDotTE\xdobloc.exe
  C:\UserDotTE\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintVH\bodxloc.exe

Filesize
2.7MB

MD5
a2fa21afd49363745d323487bf3a1967

SHA1
528143a60294cf547ae811cce013ba8fc0306af6

SHA256
1a3eab3c26e24c931d3cad9db59657d4da0d6b87ee38d902256a0f8f33871125

SHA512
f3a504adc645b4cabc95984a6c54fdd65abb565c3267b7098ebf4a6c4bbebdf35fbf1e2cd409ae2f53b382c222015b0a1439b6e58c68158d1849fbc36a1f0b23

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
7bc55859e8299e31f072e25c79bffe64

SHA1
289dead42be32ce78eb77144979cbf8a71c00851

SHA256
b07b6d03e7e8b9dba78878ce39cb8d9e17f406255fa2fc13b9b6f3b65b25c462

SHA512
06fe3bd5f3d6b4c1354063eacb65f3c152d3ae8915ca7faad72b0ea85d814db85e7efa779561703c0cd881b1056c884f2e8aaa5991050d0550d3a0860d498f0f

Download Submit
\UserDotTE\xdobloc.exe

Filesize
2.7MB

MD5
870e3b1f04d7836fb8504f5053b3cc97

SHA1
da266db6753799d263adca792440244925ddf1e9

SHA256
89c41b3c98368b01ae859f21389c3310137bd8da9851ab46bcece3fe6e871cf9

SHA512
5529bf1738f11044a566e2b1f7b08d7da73ad851379969c3862349bc8b2e02375065f5610a81adea323cdf3346dc91ece607cbd14289243e0eb66942da0b2f6c

Download Submit