96619a0e2f7075e20a88ae4d2b9b9c8752fee3909590c6aea64aaa6fd3424331

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
Size

2.7MB
MD5

af420590f2bfd79f6157a03ef73b2740
SHA1

4321e2a8cafd4c5901e3e29cd42754cd88d7d4eb
SHA256

96619a0e2f7075e20a88ae4d2b9b9c8752fee3909590c6aea64aaa6fd3424331
SHA512

d7d835970702cc0a5668eb2ae3481c734facedead4cf78e2bfe08edceb74b158f8631775c3c9bf3585c89ab519034cdac18d5ebd658483ba8ad397a305328f81
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSp64

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1948	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7B\\bodxloc.exe"	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTY\\xbodloc.exe"	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
1948	xbodloc.exe
1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1948	1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe	28
PID 1228 wrote to memory of 1948	1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe	28
PID 1228 wrote to memory of 1948	1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe	28
PID 1228 wrote to memory of 1948	1228	af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\af420590f2bfd79f6157a03ef73b2740_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228
- C:\IntelprocTY\xbodloc.exe
  C:\IntelprocTY\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint7B\bodxloc.exe

Filesize
2.7MB

MD5
2ce24c369c29dcb356b9ead2527f46ef

SHA1
4164b97c339f612c39c31b54e92081620ab26795

SHA256
3c77d41e1212d259458ef1af1774e4a8628eefe2d60484a1f3707c6348c62ce3

SHA512
40298dec7b3a2c0e7c3437ab2bf4e38d1acd8bcbcd4dd586c9851dcb7d4f75b87e8fa5be74a8c7994eadb80d57b060fc56b2069e7e87be507ab33f0a662b099a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
dffcf4fa3aaf4360c0e1f7294b62d675

SHA1
d3d8d219923f0ea08f2e27dbdffad5e65b58dd12

SHA256
a6d008c73a6f862e547c2cea7c50320d78de0abed3f541f83cb148fbe47ed78a

SHA512
76a4d5318e67fd0fc7aec02e164b24e0f49b14e21dcb9dd180d56071d906ea6b88950b11027367366ff622ab2090f824084c1e5647adfc4de57f18e6d40e64d0

Download Submit
\IntelprocTY\xbodloc.exe

Filesize
2.7MB

MD5
37405183f45a6f9e1e7cb233727467dc

SHA1
ba7481e38819a70c6264031cacce7b3dcc4ba052

SHA256
598d0764c554f221261007f780c29dafb46bd68bb59681b567c459c4bd2e7c2f

SHA512
4983dab675cf1f94043a7d157fa6f7cb7dd7db6252dc7fb1d4cb49234b27e5875925d30a45ddb3d6883ef7f16d58ba284ae8188642c147aa518988d61d58eae3

Download Submit