Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 19:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe
-
Size
69KB
-
MD5
ccda6fb6bf98501a867736eabfce2140
-
SHA1
8ccb09a3d9774e3b420f75563a902097f3c0381b
-
SHA256
1b820ece6721b5aaddfe00f6be22d268eee03bbf4e8fdd4bff262b5ebd15db8d
-
SHA512
b4d8c5576956969ecdd64a8049ec5f5e568d1c316b3ec2fae5f90e0c0846d44c7fa56a857dde5b3ca16f8c917eedc44d6215e48d21f92a5d004996fb37024ab6
-
SSDEEP
1536:xV3YCONO6mYlRzbR05nUmJI8T80zfEGekDWnRe95ZJgN:KNO6mYlRviU+jY0YrkSnRY57s
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" blofuc-oucor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" blofuc-oucor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" blofuc-oucor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" blofuc-oucor.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453} blofuc-oucor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" blofuc-oucor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\IsInstalled = "1" blofuc-oucor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\StubPath = "C:\\Windows\\system32\\oubseaxeam-onom.exe" blofuc-oucor.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe blofuc-oucor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" blofuc-oucor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\oubgetet.exe" blofuc-oucor.exe -
Executes dropped EXE 2 IoCs
pid Process 1184 blofuc-oucor.exe 4284 blofuc-oucor.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" blofuc-oucor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" blofuc-oucor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" blofuc-oucor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" blofuc-oucor.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" blofuc-oucor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ordeader.dll" blofuc-oucor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" blofuc-oucor.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} blofuc-oucor.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify blofuc-oucor.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\oubgetet.exe blofuc-oucor.exe File created C:\Windows\SysWOW64\oubgetet.exe blofuc-oucor.exe File created C:\Windows\SysWOW64\oubseaxeam-onom.exe blofuc-oucor.exe File created C:\Windows\SysWOW64\ordeader.dll blofuc-oucor.exe File opened for modification C:\Windows\SysWOW64\blofuc-oucor.exe ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe File created C:\Windows\SysWOW64\blofuc-oucor.exe ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\oubseaxeam-onom.exe blofuc-oucor.exe File opened for modification C:\Windows\SysWOW64\ordeader.dll blofuc-oucor.exe File opened for modification C:\Windows\SysWOW64\blofuc-oucor.exe blofuc-oucor.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 4284 blofuc-oucor.exe 4284 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe 1184 blofuc-oucor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1184 blofuc-oucor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3812 wrote to memory of 1184 3812 ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe 81 PID 3812 wrote to memory of 1184 3812 ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe 81 PID 3812 wrote to memory of 1184 3812 ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe 81 PID 1184 wrote to memory of 4284 1184 blofuc-oucor.exe 82 PID 1184 wrote to memory of 4284 1184 blofuc-oucor.exe 82 PID 1184 wrote to memory of 4284 1184 blofuc-oucor.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ccda6fb6bf98501a867736eabfce2140_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\blofuc-oucor.exe"C:\Windows\SysWOW64\blofuc-oucor.exe"2⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\blofuc-oucor.exeùù¿çç¤3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD502136d9f577f5962c730704d4320b8e0
SHA15798f72c72c44e3abde3b99af9a5652b42e893fd
SHA25668060c4360750886f44239516672accec5cfda922f28c805d4c1c5e807879e0e
SHA51222a099477a34d6c49d84744855b0083b709905dd4e36c454607f318ecd6b71369399aba59c1851ef8c5152a313d94fe6cbcf33b223d9ca9358c7223d1473d0dc
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
70KB
MD5804ba3e894855730eabba21cadcefc3d
SHA132eb57be4715fe778f898a1e4b2ed711a85000cb
SHA25657870303a52e136ddb40468c39dab843c47a274e3a93bd90905caa375151cbb7
SHA51286770288c1cb93474d5cc39d5e128ceb63264d677c0edeeaf882045079d44dcbb16ab824383bfad8251249cebb296540fe1e65ea15f4ee536c1336d774a834f5
-
Filesize
69KB
MD5547918cc63209ed44254455ae74d8fee
SHA13893dde6cb465951c9ccd2d55c6ba15e5c94ab7a
SHA2569267627a0c98c487580e31bbfd928bd8d6b93a3434986ad4c5155905a87b1db8
SHA51249f3e4ce844ccff09ccc6a6051228a7b87ccb7e4b47be9c9c776804ef7f61a03c94f2081f144bc7f217cfa94fa011111608b7f1e6427ab308a97bd7927a3d014