67dc121b8bbb8c038568eb17a838c3b4ea2b00fd256ade810c7824bc0307d354

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
Size

3.7MB
MD5

bb1026e0eb1bf7c899184931bbb8fc80
SHA1

e25bf1355b9cfd5bd97ffe3be1a39f666733fad7
SHA256

67dc121b8bbb8c038568eb17a838c3b4ea2b00fd256ade810c7824bc0307d354
SHA512

8a05b89bd86603b580522f66898b1ce249ba3bbfb9c5c65ca7002c18ce8c01f7e9629984722a65f377427800bc42f19976ee69d01c22c6c768e40a20d20e7558
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6:+R0pIAQhMPdmQ5n9klR

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYH\\xbodec.exe"	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint1T\\dobaec.exe"	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin$ 88)<)$7)516\$1+:7;7.<$16,7?;$<):<�-6=$:7\:)5;$<):<=8$sysdevbod.exe	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
File created	C:\Users\Admin$ 88)<)$7)516\$1+:7;7.<$16,7?;$<):<�-6=$:7\:)5;$<):<=8$sysdevbod.exe	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2152	xbodec.exe
2152	xbodec.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2152	1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe	87
PID 1636 wrote to memory of 2152	1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe	87
PID 1636 wrote to memory of 2152	1636	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636
- C:\SysDrvYH\xbodec.exe
  C:\SysDrvYH\xbodec.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint1T\dobaec.exe

Filesize
3KB

MD5
3161dff010f251bc927e6e78cec9f490

SHA1
c2d8e5e54300810e861e8bc27b869b3e8053b8f6

SHA256
b1a15ad4b5bb8edcf1808226895d8dbb5d7a9b52f7859584e51dab938991a13c

SHA512
40a22a64ff72d4b9528f24e1cc4a5a59e79cdc441d00f9a9853cac1a3cbde37f264ee95d3fac212e89beb62a050da325fb2191f881422f57ba38ce13876e4679

Download Submit
C:\SysDrvYH\xbodec.exe

Filesize
3.7MB

MD5
c173969a9d1976ca7181a8d3ee03e2aa

SHA1
a1f98a5eece4693d8a3e13b9d2eb5cf0b286e9c0

SHA256
a4a8c666a7ba30a5be2dcd8e01eb0cd92e2f3fa97b74f066631e0c2b826f7446

SHA512
0cafc09bef32048855b24914ab50b7fce1f39abdd8a3edd1776a0a4c97db644f5db27e73e81bebce2f608b2050f9f2051830da10616a5044a926a1cddf0cd1d1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
5146106c892e8b82e0020b722413f8b1

SHA1
c584603d8b50a5c9368be69dcfeebe6315f09597

SHA256
8e00c1c1d776ead877302c87981fe55c40797940370d1966e21582bf11d6f5c5

SHA512
dd0ec24e7dfed0c0e1e5e05192fb8ff4195ffa77efcafbd2373b8e455fede876b29f29267efd3aa9aba88421d92d2c1afe801d09c7e5b5b35cb8362a8a2af056

Download Submit