0977feee4772c9bc896a2d3719f312de7deeeb52a754e6718bf82fe1c0982b4b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
Size

2.7MB
MD5

00a7ef94eff80ea45b4c6266a89509c0
SHA1

7c07304b14463e26a127ffe1b1361b12f9c094a8
SHA256

0977feee4772c9bc896a2d3719f312de7deeeb52a754e6718bf82fe1c0982b4b
SHA512

ab011cd9f7288b4e2c48727c5ceafb00863e854ab5599f3461b4c5eda48f2ab1db0505231163de78e93c0b0789741d2979123ab2099a8a8f116bf1b33dac9e73
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBE9w4Sx:+R0pI/IQlUoMPdmpSpm4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1388	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4R\\bodxloc.exe"	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6U\\xbodloc.exe"	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1388	xbodloc.exe
1388	xbodloc.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1388	3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe	87
PID 3660 wrote to memory of 1388	3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe	87
PID 3660 wrote to memory of 1388	3660	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3660
- C:\SysDrv6U\xbodloc.exe
  C:\SysDrv6U\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint4R\bodxloc.exe

Filesize
2.7MB

MD5
3935104ce891834b0d486f5b48b87595

SHA1
5cb16852b52f0a93bbab12ccf46d102372618e30

SHA256
d5c43cf5d33c83a51701ca425fe733449f2622536e0468b2a7233a0dd2279404

SHA512
8ba6b54c9290f534942f02945ba7022d10638f27768338e24605a89cd6380c409241fedbdaad8167749032b69da33e7f11ad100fc8705af64156adf2d52d7cdf

Download Submit
C:\SysDrv6U\xbodloc.exe

Filesize
2.7MB

MD5
f570885be90a72257853d51f408b637c

SHA1
7d67060a8d19180157be51e578b644f7b14af8cd

SHA256
530a644b2e895c243bf0ca98803384a15b379f411c331337b3f3df9619002042

SHA512
9fe6486496712f513a370a553d2bb530045a230334d910ee88336ad7631c7107354dcc04dc418d5db6e6dab483596e688e39b65701d286de89fd528e2be6a10f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
24613b02c533bfa738cbabf85c1738c2

SHA1
3c1722faccb2a17a21df22210945527a6a32577b

SHA256
ebf9338557fbe3fc05e450ff1ebe336026b413cba068543aaa31a279cf4b9667

SHA512
7c88dcdd5795bb87c40a8a9ada88df6ed692e8c54f6795e4e0cc5b4704163f4a9837ba98c3a07776740c4d59876bc6d2e3383a4ee2e2aeac3f5301bd17a33bdb

Download Submit