90e82a0243361e09344500cdd09f5538a5a59e3661e9c5b37e7eda4454888078

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
Size

2.7MB
MD5

c0bf732dcf2720b82d7b96a9033b7fb0
SHA1

fa5c7127a2db863de943919f3da0084519d82be9
SHA256

90e82a0243361e09344500cdd09f5538a5a59e3661e9c5b37e7eda4454888078
SHA512

cece647b1a426b8ff309e6ca172e7844cf881d3894fde24b5fb7f07a8d7866a50c33868fb1c0fd3b659cca504ad24ff697fd53692ae13da4657b69b0d541f1d3
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB29w4Sx:+R0pI/IQlUoMPdmpSpE4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1536	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc54\\xbodloc.exe"	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint51\\optidevec.exe"	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
1536	xbodloc.exe
1536	xbodloc.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1536	5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe	87
PID 5036 wrote to memory of 1536	5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe	87
PID 5036 wrote to memory of 1536	5036	c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c0bf732dcf2720b82d7b96a9033b7fb0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Intelproc54\xbodloc.exe
  C:\Intelproc54\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc54\xbodloc.exe

Filesize
2.7MB

MD5
953cdaa4e77f92bedcb2682b3573fe37

SHA1
36ead048aa1fe10068d919f6d01cd1d1d37d4551

SHA256
003629b052eee0519676196d2e67b02514807bb9544eea2487230056ccc86ede

SHA512
d290c5db7686d51a4eabe257fc85ad42d416ec273c5d72a9763df1b81566477e7377afc5c1be39d751d82dbe3f3215ef564b3f76a2a35894f0361e096a09c534

Download Submit
C:\Mint51\optidevec.exe

Filesize
168KB

MD5
6fa9efa2012e690c5d702f2bfc990dc2

SHA1
81e5c3a23c809a21ac80e666aa69a63b605623e1

SHA256
60090090d446aeec611bf072cf4b81d2b00eb952e67390f287c782367c2a40d4

SHA512
66fffa185dd7537516182c394d9aa533e2939e3b669887d01597b82ad91fbcff064cfc39e6e36491b2cc14633c1e861c4a1294a8480e5fa3d0c9fb179f91bb33

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
cafd74448436d13b965ab3b12b9e1b4b

SHA1
eb49997e14fdd228e9f03899cb108fc28c2e5017

SHA256
7d6f1ba644465a8b6da7aca887f0199e8b8a06f4ceeae2c1d9656321c2b73718

SHA512
c69132f9922d592a496a1f1f9766a9ce2bc3df2b75034d457c3cfa96ce0bc3e93b16f95b3f2cb5eb380b053ba8fa69cae9e4f24dea6549e3c756ab109bdd1fcd

Download Submit