166ee4beab5528a6e46112bdb8e0355270aa9429650d96d3dc86fb4466eb6a8b

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 20:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

294e623eb5ad569622550730ce2d9c20_NEIKI.exe
Size

4.1MB
MD5

294e623eb5ad569622550730ce2d9c20
SHA1

d22bd803918ca74032b738e1dc42234f59eaa3f3
SHA256

166ee4beab5528a6e46112bdb8e0355270aa9429650d96d3dc86fb4466eb6a8b
SHA512

11304a0a4afcc9446a2402f4461f0f2e1fb98e53af749e26f1f0991791b46031f550bd40cfef85fbe4b5d639918ef082281ba818834c3749869716b722a8bbf1
SSDEEP

98304:+R0pI/IQlUoMPdmpSpC4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmN5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	xbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHY\\xbodsys.exe"	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAI\\dobdevloc.exe"	294e623eb5ad569622550730ce2d9c20_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe
2696	xbodsys.exe
1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2696	1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe	28
PID 1764 wrote to memory of 2696	1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe	28
PID 1764 wrote to memory of 2696	1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe	28
PID 1764 wrote to memory of 2696	1764	294e623eb5ad569622550730ce2d9c20_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\294e623eb5ad569622550730ce2d9c20_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\294e623eb5ad569622550730ce2d9c20_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764
- C:\UserDotHY\xbodsys.exe
  C:\UserDotHY\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintAI\dobdevloc.exe

Filesize
4.1MB

MD5
a45d71ce213669e733e05340c4dc4f8a

SHA1
977f3d4fe7137a8c90eb40548bcf5f44864e4643

SHA256
96f42727fc62514e2d68bba3f3b589b89b3ba1041d81fc55c2eadf42b78bf080

SHA512
6a1bcf42e09fee676c6f8fa6009d5644ee2c7c0f6f62cf0d8df9155d66bfb05bd58635341c0efc8daabf8451961d46b59c9af2fb2a968c970589441f32d02807

Download Submit
C:\UserDotHY\xbodsys.exe

Filesize
4.1MB

MD5
22b6e7bdbcc96f7e2ad7082cd1f578fd

SHA1
da706e4e7b8f31d29cc075cd746bf160866a42e0

SHA256
afb9bbc8bb5a32dbb542027e6bb8e09a92a15c00e9126bc1c1d729fc58c8f751

SHA512
999e471b5886534949a968436dff8daf33e1491c9f980b15c1c0128418e59e5cdb1428ae0b58df1e3f12a358dea882b8d3cf05f6550ab77f6aea8543fe33e2ee

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
bae998c4f4cb399a8512c5d119440502

SHA1
21be809a47d859c3721cfe47c0989963612375c2

SHA256
4a7cd7ed6a552daeb16b2c411d8c6138a2efa37218c33990791f57dd61185cc6

SHA512
7e53c1ffdc3eb2501609f316bd6d6712adc44dfe80aa2a044b561bde6752ebb11b32efcbcc6e57db6c4990801c4df3531bbad122a6e6724dc081c87573136bd0

Download Submit