8a15c447962d7bd823fc5d3e5366d2e70cd3f7571a24e862d4bd2a4c4cf13b72

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 09:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
Size

2.7MB
MD5

e231a1341ced50815580646f8823e920
SHA1

87f388d6add431386df3593aa339089c10d50320
SHA256

8a15c447962d7bd823fc5d3e5366d2e70cd3f7571a24e862d4bd2a4c4cf13b72
SHA512

c455a4c84afa28dfebacbf6dfb07c69d24c7101df63c7310b038de788792a0476f3bfbbd228d3fb24a4d2699bcb4c7aef63d0401cea9a852395fe31ccc4ce164
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB+9w4Sx:+R0pI/IQlUoMPdmpSp44

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1732	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocNF\\xbodloc.exe"	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYH\\optixec.exe"	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
1732	xbodloc.exe
1732	xbodloc.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1732	2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe	89
PID 2256 wrote to memory of 1732	2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe	89
PID 2256 wrote to memory of 1732	2256	e231a1341ced50815580646f8823e920_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\e231a1341ced50815580646f8823e920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e231a1341ced50815580646f8823e920_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\IntelprocNF\xbodloc.exe
  C:\IntelprocNF\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocNF\xbodloc.exe

Filesize
2.7MB

MD5
44092c0fed7b9be96f1eb02e93556689

SHA1
31325a208c15897ea6a6a0abe47b8497c88edf2f

SHA256
2ab11d148d3e79968352de2f91b23484f8062189d87a95051ca8067d69f99f87

SHA512
9db5ea7898f70afff503b29466e385a7a8fe6dc4742360a41e6d636daad2b269633db8f94f71465d9182cb76bc5e6cd03de8890ab8e061932f4a5591c913c3bd

Download Submit
C:\MintYH\optixec.exe

Filesize
2.7MB

MD5
059e7f6dc5c59d4bbeec645ace180aaa

SHA1
9a4c26c668b70d95734d3cc5852ec50907d26bd7

SHA256
7651bcba0f3351137372fe61e48e351da621ca521804da2d7fccca9e3127ea55

SHA512
e03b710191ebcc2f62ddc628b31edb966335070ff417ab99e68af2fc3575431506a75968f1d77b92a0ff947ba6849ee4c045d3c265be5a6da66c7726a4dd52d8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
d38ffc421d8e1247165b2a35d637202e

SHA1
292ee25ef22ad90e59163d82c090cbad0f69ced7

SHA256
1018bb3a82975b25280757b3d5efd28db26e78e7ab8a88c756b16b3585857287

SHA512
09f258dc0659b346699ab965ee32df51291ad2c9e598c3c44b548122f0aa58cf43438fbbfd8115069dbfb7a11d0ec93aecca1f3eaab3241797db9def0cd65905

Download Submit