e64ee3b3dd3c803e983063f1d72fd73c768522678090aa00925f82a7501a8fa3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46ad43265774300b039f266db2711960_NeikiAnalytics.exe
Size

2.7MB
MD5

46ad43265774300b039f266db2711960
SHA1

500c490d5f93b86d749cd0be45964c1623cf7ec9
SHA256

e64ee3b3dd3c803e983063f1d72fd73c768522678090aa00925f82a7501a8fa3
SHA512

1bf0a6820934ee51dbeb6f511dd154816d605328ad7a9724b3e92be8e0c8090bacfd37402732e8b0430d8de1a7785cdd4d0ad7a0581d24124c0f3a45bb622248
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB69w4Sx:+R0pI/IQlUoMPdmpSpE4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5068	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWZ\\xbodec.exe"	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHM\\bodasys.exe"	46ad43265774300b039f266db2711960_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5068	xbodec.exe
5068	xbodec.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe
5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 5068	5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe	86
PID 5092 wrote to memory of 5068	5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe	86
PID 5092 wrote to memory of 5068	5092	46ad43265774300b039f266db2711960_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\46ad43265774300b039f266db2711960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46ad43265774300b039f266db2711960_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5092
- C:\SysDrvWZ\xbodec.exe
  C:\SysDrvWZ\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBHM\bodasys.exe

Filesize
2.7MB

MD5
8010f54e6075e9b25e1c6f25e7db1333

SHA1
4133b7f820ff47f866d57692ba9de010eddca2ad

SHA256
6ab1576e55bacf0431b7b8627bd25d97a6a959f0d563624ef52f98d4ab61cf6f

SHA512
5f328a3966aae3ac2502b2beb4f43f99d6758c81aaa94bc2eff862cc11d45da908664c3cef4cce197ef1dc1abb833d9f751449c8a3154f2c77dbf7bcdddce161

Download Submit
C:\SysDrvWZ\xbodec.exe

Filesize
2.7MB

MD5
0d40ccd5fa2d4a574c90685f2b8e3f3c

SHA1
5d95d246cc7791f4c1613774ba97a868a696a961

SHA256
2d381924bf79be784e6ebea4f48163172bc0c59a92be22e379a5302e822c2079

SHA512
f555d6503df6251040fda987251d33c86978216b167285f30aee2c554873096f611d8a53c7e1de223113cce8e5b5e675acb604d77291912a07fef980ecf5f891

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
195B

MD5
3f43af72633fdd92faa5991f65018660

SHA1
c97336049fcc4cb822d9fd120b9ce087e45838c3

SHA256
29a470186f91444265a6248c0b4f2c8a02263fe9baa869fa8f234cfb33933371

SHA512
8bb1a0c8c6ca8129a1bcaaace98fc7c1ed034394e632f6d20870b6be39972fe71663b379876988fa97104aa04c79e8a1ae756de51ae1c91f2ca908cde3edee56

Download Submit