3b4572205979d998274cb6e1247782046781a80138e91f404e6beaf1af71b887

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
Size

2.7MB
MD5

df1d12dc9fe8154675c41d3ba8c653b0
SHA1

f9ce2acf5a22f47750e05266478ae08de9478927
SHA256

3b4572205979d998274cb6e1247782046781a80138e91f404e6beaf1af71b887
SHA512

b79e72d68e056cf556b05021e3c702dbe4db86f3bc04d7e6710c7d2a46c0fc4bfb759cdf0d0d5b00aeb48561319962adee66bd68d3713d4d7d25c333d3cf236e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBT9w4S+:+R0pI/IQlUoMPdmpSpv4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	xdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files70\\xdobec.exe"	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3P\\optiaec.exe"	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
3044	xdobec.exe
2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3044	2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe	28
PID 2652 wrote to memory of 3044	2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe	28
PID 2652 wrote to memory of 3044	2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe	28
PID 2652 wrote to memory of 3044	2652	df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\df1d12dc9fe8154675c41d3ba8c653b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Files70\xdobec.exe
  C:\Files70\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ3P\optiaec.exe

Filesize
2.7MB

MD5
50cc5e6b6dc24489d9a9e38edc11f593

SHA1
c1ce71db0bc2696adfa6afb857124d11f164cbd9

SHA256
cea57e73a56e09b68d4b65058d9884e60bf5704dc94e7be96a07e58bea1dc112

SHA512
60a0295573311d4077f9a75691c85c8550d1652f6b14bd2d57f60b92a1f613d08124e485de352307e2f931b90a83f7654ec3449439aa58fcaf591642d970a598

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
76dc7cb77feee1dd3734d7bd51e23f69

SHA1
d1bcf4b5bf4f41e3fcd571d1e08ee9012608e0d1

SHA256
971920c39ee95cd6e3e81bf23a2d43151588124b789539fce8bca62d8d57e3fa

SHA512
533635da77206aaa7c174d6f82c87443253513958e3f362b6f3417fafa02b1b6e863db527ab682bb60cb73f12185a32ea7bf0224314a1ce8b8950f51d26d94ec

Download Submit
\Files70\xdobec.exe

Filesize
2.7MB

MD5
4566defac746eb17b8815de3248f8333

SHA1
638227b69992574dbc6b33db5a1589d2e30e631f

SHA256
65140386f0f9efc2133b095016d9190400ab45d488a48753f9d1a9d66ee614ba

SHA512
21d34bd76a56ccd0ce6360007555c12c5bce14eee6dc31544a997e75f4b5611df3e8d476e0547361fda6210ef8873e661a18df9b690dbdc5839ec1a660a30fad

Download Submit