3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 04:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
Size

2.7MB
MD5

dcfb275fdc8ada04f40dfe272fe5cdf0
SHA1

f7dad4569b90fc5e5a34bbec9adfd718bdc1f015
SHA256

3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0
SHA512

4100790d103504d728621c4dc9bc76e9a50364e790249e7d64511b5c30b0914a35091f685f46d500f58dd686805087f477d15aa39d25d46059ac2efd5c601fe2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBP9w4Sx:+R0pI/IQlUoMPdmpSpf4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2156	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMS\\xbodec.exe"	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxP9\\optidevec.exe"	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
2156	xbodec.exe
2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2156	2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 2156	2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 2156	2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 2156	2860	3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ddbe43146de5371a95763ea42401eb0509e630640afc40bd36346cba33deaa0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860
- C:\IntelprocMS\xbodec.exe
  C:\IntelprocMS\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxP9\optidevec.exe

Filesize
2.7MB

MD5
a662e908178a3d029177f0d84b1323a1

SHA1
8ac421e4b10525eca2f1c48178f708c1032307ef

SHA256
a40adc49a934ae162aadd6bf4dd74b348f64db2209e9cd8e0487f1e89074ab35

SHA512
1d05423176121f3c94e4d9abf0223cca251ba13a18e90c6feb5842252e644a83f46a54d63fe7fa43501c1198ca400b268c7fd93c6624992efad4904773b6f2f6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
b7261ad09e5c4b67b27322b1ae218fe7

SHA1
8e19b20deab3c7f31aa554b0bf6252430872711c

SHA256
11e0d72ea390968d227d2fcc160e68a2e2360a8e2b87a76b389b1c950c992fa4

SHA512
a3c061cef9f0f991bcdf63e6e60ecd60822e3ca45cf04cce0ae908a2ec837e464f95b926f69acabbd8f92fa2dd3c5ada55f70fe5f47d65ae32e4a70999574350

Download Submit
\IntelprocMS\xbodec.exe

Filesize
2.7MB

MD5
02df237f229f5ba7d07de2e74d053840

SHA1
c9b5c17df0063f545c73958f02b8ef6b7624936b

SHA256
2729a330cfbdf5e8f8c9e577728acfeb4c7c080ba3aba6e277dcce0064d9fe49

SHA512
06f7beede9e9fb20badac694ae34884c4dfc1bc923d7c10068109cd43d0d408508d25dfa01125a1b0b74099ec547875b0eb3e095ec42a7341e2134db80b47515

Download Submit