196e32bfde26769ef80674bf9b5effc3d20b841be3229987727617be2f8932ff

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
Size

2.7MB
MD5

040591d48b87c45c9fd5ffa1b7d7bb30
SHA1

2aeb137622dae7a6261307b106e2b6b341be216f
SHA256

196e32bfde26769ef80674bf9b5effc3d20b841be3229987727617be2f8932ff
SHA512

e056e9da8bea1a46aa847fc17f6c52a9af039f9615d89fd813b42a2836ea93b807aaedeb6b537c274dbfcdc3e36c4f4abc4b32bb5bea17fcf7817e56d07dc831
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBX9w4Sx:+R0pI/IQlUoMPdmpSpD4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	xbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU5\\xbodsys.exe"	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRL\\dobxloc.exe"	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
2152	xbodsys.exe
1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2152	1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2152	1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2152	1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2152	1640	040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\040591d48b87c45c9fd5ffa1b7d7bb30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640
- C:\SysDrvU5\xbodsys.exe
  C:\SysDrvU5\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBRL\dobxloc.exe

Filesize
2.7MB

MD5
a3457616748a963a009cf308002b0a18

SHA1
39becca074eaec9c647e0bc5a20d51675ed7598f

SHA256
f0ca9db3213cd4fb93220d486bdaf292e7dc3ae6b1729cfafbc08a34d7305684

SHA512
8a5b129f146a41cf26a6e0f45ce4452c07b4799096aa85321ec56f1bf2781d3471fd9735d4c5a90710db6eb3f1dd274fc451da6b5bd13641719abd78500cdf3d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
4487a3c6641448b91df784052af290aa

SHA1
acf2966cd024cdf296c2195285ab13fc6df2d541

SHA256
3768112d5e0798ffd297b93072342bf3f376fb175dc7a539fcea3d979a8b9596

SHA512
4b97771ded9431dd7ba9938ffaf29ec9d8ca2a45bf269b373aa33b7717f874a896414b02daa245bb8e7fc5ea7b585ba5a294138b9a3db9b155822c8456dfd077

Download Submit
\SysDrvU5\xbodsys.exe

Filesize
2.7MB

MD5
4dc0d4d0a41a4951d867fb7af602c4bc

SHA1
0afa6b75f815b9ee0f495bddae264bb735c13147

SHA256
e60003adaab0dd9b71745c6f77ab15a2cd028f907c7fde5245f6409e23e84b73

SHA512
ce1b29cf6b9f6c8f887bac1b5bc93c7bca111ff375480592788f1acd0a2e616c549e1e09460a7c0d1eb27b9aa3e76066c0c96ba7ed8d6f1de8f431b92c5d51a2

Download Submit