07a9ae340287cfadb669224685f3cb42d41a0621c663fdb7ae33d2eae2699038

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
Size

4.1MB
MD5

cf75a86e11d2f4768f372d5edb974a50
SHA1

dcadfa84f0a7f2ad36277b8e0fbe99ea44984076
SHA256

07a9ae340287cfadb669224685f3cb42d41a0621c663fdb7ae33d2eae2699038
SHA512

c4f5bdf4c429d93af6193d6d178b734ba1205d5a8b69174b2bc589d70d1c42a80b89d55637d03b535f9ffec635f490d28b85667b7aa001a13f07adf2b6a8a8b9
SSDEEP

98304:+R0pI/IQlUoMPdmpSpK4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmt5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1780	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesB9\\xbodloc.exe"	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidU6\\dobaec.exe"	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
1780	xbodloc.exe
1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1780	1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 1780	1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 1780	1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 1780	1948	cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cf75a86e11d2f4768f372d5edb974a50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\FilesB9\xbodloc.exe
  C:\FilesB9\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
75cdd1f5bdd14d8d7afa29c3f1b49daa

SHA1
b9011a88e7fa7b29b623f4d00bb98c2fccfc4cd4

SHA256
25fc009e632072f3644d9847461c21f586dc7df616d7c2a1c590c741c46c9fd6

SHA512
f3c833994548782d3b10e49c4034d1dc6579e624930c00b4e20a7f79a5537206f1d20f68e7b7bf933a624e8896db8bb47d5642febe33bfc5930640c5380e4b7f

Download Submit
C:\VidU6\dobaec.exe

Filesize
4.1MB

MD5
f65da28d8cf1de6ce8a23a21bac53106

SHA1
d6ad6cf3bdd23074053c37ecfe275899f29e855c

SHA256
6caa54a3d7eee3867551c7965ef5b324e8a760d0e4463d0d4e581a6eb97b9890

SHA512
89ebd01839437593543570c00518130a06a41586dbd8b05eb604ab265a419c34cf8aa1b3508ef570bdc79ad1e91ea0c878f90a7e2cf4dd96a79640a2ba391b25

Download Submit
\FilesB9\xbodloc.exe

Filesize
4.1MB

MD5
016b6444f4e4d7d92752b402fa2f0e69

SHA1
0ac850018658ab7f32f1ae4cb565a0b2eef0d1af

SHA256
cfc61d5511af4db2257bd0025a4851a1354dfdea8f671ff709af4c0121b73f97

SHA512
0d9bb09bafbfe29c35ba02ee82a63aa47ecbc9c48b74c11dc2d203b9b9f13f731455bc9cbd43347c21b2d53dddc292247ba01f1adf9070ad18cfdc213b8b80a7

Download Submit