34ce47d125da8f3f932447eb0e495bf63b435843b759fe666e6d0d068b385a48

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
Size

2.7MB
MD5

abdafe21348bbc452a05c4796dfddd00
SHA1

02c06968551fb21802094f9fec39f467f8f0fc78
SHA256

34ce47d125da8f3f932447eb0e495bf63b435843b759fe666e6d0d068b385a48
SHA512

4a074edd6926a3ed7e462d6404f51f0a9f5bc3087f6cf05269b6403388ded31ff8cf5fcc28c6cff78f1eff8e26a32ce0e0c2daabc5b414c7b2d7080b01ac84dc
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSp84

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3132	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotT1\\xbodloc.exe"	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxT7\\optialoc.exe"	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3132	xbodloc.exe
3132	xbodloc.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 3132	3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe	87
PID 3324 wrote to memory of 3132	3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe	87
PID 3324 wrote to memory of 3132	3324	abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\abdafe21348bbc452a05c4796dfddd00_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3324
- C:\UserDotT1\xbodloc.exe
  C:\UserDotT1\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxT7\optialoc.exe

Filesize
961KB

MD5
143ef41b751719eb33521059ae2b30d6

SHA1
49089fbae59bcd05a42ff9a6d10d8b777ef1f525

SHA256
bd8750ed53de27a18adb6112e2322ae75b87da19d7d7ab3fc56fe96b6a7411cb

SHA512
45f1f7a8d1a7d460b109bf3e30a14f382b84f25395bc3d61ffa935b4ea021a4c4cf55f209b49ab87e62a187f56eb237050edd5cf3a0e981da537c5ac6d4999e6

Download Submit
C:\UserDotT1\xbodloc.exe

Filesize
2.7MB

MD5
50623f08639e26cb5a7d126456a3eaa1

SHA1
5a502db34e4bab6137cb1609f98260d3cf9e84d2

SHA256
4d9ff476ec057a17f59539a7039bd32a6da394d60a454c63aa16e2588fa8ee17

SHA512
eb44f985143b4bd795740bceea9cbeaa411c7e6b403453c17f740de0315829a1b0c438cd9ed6386396397ac4a1e735b77a810cbd5f75d1f69527c0c7ecce91d1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
1738461c556aa56675947f9a8c3b9501

SHA1
b2f430ecab98f27f64f513b2310c5cf94f24775a

SHA256
0e88fc6e6c9f4ab37fbc17714cc7f26f0e2cbcb819bda45a15ef27f75fd8c1e3

SHA512
b192ec53c1d79b4f7837f68b0fa7f5139e64d5e336978618899d55e23baf0cf16ab1d96eaf1e163adf5601af148fce07a8e3b2bf4fcb1ced2cd6b460359cf423

Download Submit