2c595c3423a441e408f13cf00d98a9eb0a0e813252218758ffbb3c7e6287eb12

Analysis

max time kernel
149s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
Size

2.7MB
MD5

1cfbd4c4c14b6506acde10bf31170bf0
SHA1

3bc6a69835817551378f9f5219f299b6e2ee7b33
SHA256

2c595c3423a441e408f13cf00d98a9eb0a0e813252218758ffbb3c7e6287eb12
SHA512

26f26a2fcb569cffe3dd6b6a4ae310f08366e84d8bb1ea516f024a002f17b380dbafc3537c82f0bb2fc61ba7eebf17a3f871c943ca4f29a1f9e9e65848e3b178
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBG9w4Sx:+R0pI/IQlUoMPdmpSpA4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
372	xbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvK9\\xbodsys.exe"	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZH\\dobasys.exe"	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
372	xbodsys.exe
372	xbodsys.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 372	2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe	90
PID 2052 wrote to memory of 372	2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe	90
PID 2052 wrote to memory of 372	2052	1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe	90

C:\Users\Admin\AppData\Local\Temp\1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052
- C:\SysDrvK9\xbodsys.exe
  C:\SysDrvK9\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZZH\dobasys.exe

Filesize
2.7MB

MD5
1e31d49867e1430e2c2e8785fb772d90

SHA1
a6cf5ae182d4ef5838ad7decbc95bd2233791403

SHA256
27499571958a5a0f2962b8448215cba9523c3e97b0681f9a32fafbabea6a896b

SHA512
254ccf444c5bba6b48c7fd1c7b3fbabfc55b9a154577931ea6f0f95458ef48926353e07231d4e89d706fa928fcd6adca4a35aa851f78682f4a8b575a74cd12ea

Download Submit
C:\SysDrvK9\xbodsys.exe

Filesize
2.7MB

MD5
1b617efee32dab4e42d770e535e27a1d

SHA1
969636839aed8d9513476f9231f4f994fba5f2fb

SHA256
ad5dc4d5d2b2d70a3f8813c09eea0893f6be7a44eadcb9e0daf2eb02cf92785f

SHA512
91a39203bcdea503d58f2705e0f855e25f3612243f0687837a733a1714791c1f5bcd9163465d51270c5eceba54a327ac368d8c630ae17117bad0d3e174aaae4b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
2487cc4b1d863a2f870ac6ce38a21f79

SHA1
4a4d6391cd5932ee004e47c8ee84ac3492b3c101

SHA256
f7a29b842bc77bfe0991185957afe9444c3f062b2f6f725e2dd352b7da42c21f

SHA512
2d55d4667969ace1952f1131fdf0d5190d71e9929ee040ee61d63a04a53c6931e4df669cb37a3ab469838544ed2ac27681e343b6be4d42e59966898352177ff9

Download Submit