44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
Size

2.7MB
MD5

7c417d2dbf7d90ddb9234a0dd0704650
SHA1

1e836992f0f46d31c6df2427f4db8b9faacd67f9
SHA256

44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce
SHA512

f85ac9a07af23ca4984533882b83a7723dc44f5f86e8a31c30d4f8a8b866eed5a289b31733c9c44ca4b348b0614b96e111cd0f5e7949a90f9e19630f4abd95d5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBv9w4Sx:+R0pI/IQlUoMPdmpSp74

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1692	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvM6\\xbodec.exe"	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLU\\dobasys.exe"	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
1692	xbodec.exe
992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 1692	992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe	28
PID 992 wrote to memory of 1692	992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe	28
PID 992 wrote to memory of 1692	992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe	28
PID 992 wrote to memory of 1692	992	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:992
- C:\SysDrvM6\xbodec.exe
  C:\SysDrvM6\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZLU\dobasys.exe

Filesize
2.7MB

MD5
cdc8198064900648e6b06387cde4bbe3

SHA1
f8c5a73b48d0ffea34d9296e613e51e7899b6b3c

SHA256
54090240c96f7b6800d4a479e409066442629e75ac385e578e9af5982660f8c7

SHA512
ab8fe964924499fa34a2fb14b22ca73f45e3753a964767b42ff1ca0de89a3f7d37907813d6c5cb0cbcd2a14141e09d066787c5784f65b6fda74025209c7d3834

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
b7b16dae0a20ac99c13655c4b4dec423

SHA1
b796341e4959801e5721b5547b9b7b8054954a0c

SHA256
cf58266ce0c765c85b4ee84596011d84a5070673068a388689ed989e5ba31662

SHA512
e02e932ff0f21175f6316f4f15956c66d80469d3ecd16c3cd1d9d18aca734126970e92f45810278aada1f77d4075c796822a004013617f00438e731a76adaf0e

Download Submit
\SysDrvM6\xbodec.exe

Filesize
2.7MB

MD5
d8b71cf74f8b08d8a834e310c9c8b41f

SHA1
5462368d71d0cc7d8060cdfc7cf75002a3072f24

SHA256
8b1bf7cb832dc4d0706430b3cbc84f15a84727c7510ed874c1aecc6c90d2ee6e

SHA512
745dc3c6ba59f52c37d53f9bbe206e1f6d2d87db45f708df745717cba0dc7ab37857f3d01cf40a9111909c572c485efffbbf8a1e0b976ee5d0cd3526916008d9

Download Submit