cc2c1100ef850c1f0313c563354244906c821603a28172c50cbca31dc8bc72f2

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5acf60693418775db62b72230f505a0_NEIKI.exe
Size

4.1MB
MD5

c5acf60693418775db62b72230f505a0
SHA1

71b050aa78df3ffbef87ab0e3aa28b619492c6f8
SHA256

cc2c1100ef850c1f0313c563354244906c821603a28172c50cbca31dc8bc72f2
SHA512

1bef0216d4aaa7dd94d6c1792bf0c526439f7c8761970f04b9c5dfe4b607512667243f16bba568a9ba2dfd3caf98ed56e5a11c4ec9e3bde8830460f4e4bcc31f
SSDEEP

98304:+R0pI/IQlUoMPdmpSp24ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm55n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1456	xbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvK9\\xbodsys.exe"	c5acf60693418775db62b72230f505a0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZH\\dobasys.exe"	c5acf60693418775db62b72230f505a0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
1456	xbodsys.exe
1456	xbodsys.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe
4708	c5acf60693418775db62b72230f505a0_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 1456	4708	c5acf60693418775db62b72230f505a0_NEIKI.exe	93
PID 4708 wrote to memory of 1456	4708	c5acf60693418775db62b72230f505a0_NEIKI.exe	93
PID 4708 wrote to memory of 1456	4708	c5acf60693418775db62b72230f505a0_NEIKI.exe	93

C:\Users\Admin\AppData\Local\Temp\c5acf60693418775db62b72230f505a0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c5acf60693418775db62b72230f505a0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708
- C:\SysDrvK9\xbodsys.exe
  C:\SysDrvK9\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZZH\dobasys.exe

Filesize
4.1MB

MD5
2a5828345f5d6ae35443fe88e4b5e5da

SHA1
89acf2f519c3e24e24102b80dc3a1519985c280a

SHA256
696774d17f7dd60d7968c55af4e3312edf1ae893d0b4aa1e3bb6e4ea6205da0e

SHA512
1a3415c1447ef385099a0f35c552e103db208b740ba8c2f3d2e2b3c4e4cda22e627777a020eaab3e2c1c1dd7f0485e4084bc0e722ebe25a2a0a25a3ab8e15566

Download Submit
C:\SysDrvK9\xbodsys.exe

Filesize
4.1MB

MD5
8cfc577d5f332fbb3aa0b571166f1501

SHA1
8987dfc5049837e9e4063aecdadb510fdb3e5814

SHA256
0e29aeb8fd1945cb97c2e4af17f148981bcc00b649d489ef28bbe0c1ae6c0649

SHA512
f2d8d9f4bda96737778b3dbc438ce77459303be57b9562910ac4ac123c1ba1cbd25ac54efc48265f8dd28a6c6ca209b9794b9bcdf8e902246b8df7d4c6946af9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
68c7b496f228789b17d101f646db50ad

SHA1
58d7a920768ca62da6c4e5dfcfea68f9c9fc0f3e

SHA256
35e52d3d4e0db6dcf002d09dde663b0b0cb73c559a41f0974fa777b401fb77a9

SHA512
83e18646ce70d19aa4a2d6fd86d57c1d926ca55587354821e5148a6383ef91351c736f4d8c657efb42533a267124529a5a8c893bedb72a7802cebc0855626516

Download Submit