484a96b33eb23c232c73043cd7aeff96136ff7cb10558c0aae3011e13c7573b1

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
Size

4.1MB
MD5

481fcdc7cbdeb577c477310a2aec8ae0
SHA1

ed5b3552525cc10aa287361f55ce036108bb8321
SHA256

484a96b33eb23c232c73043cd7aeff96136ff7cb10558c0aae3011e13c7573b1
SHA512

028877124b48d52beba43787ca038be2c9c8b4ae98656e69f62c44adedd9e39142ae15c347c039e0a5a88c77995c78ecd38897aca412d37ccb2003c6187024a9
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmU5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
8	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUM\\xbodloc.exe"	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5K\\boddevsys.exe"	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
8	xbodloc.exe
8	xbodloc.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 8	4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe	88
PID 4472 wrote to memory of 8	4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe	88
PID 4472 wrote to memory of 8	4472	481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\481fcdc7cbdeb577c477310a2aec8ae0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472
- C:\AdobeUM\xbodloc.exe
  C:\AdobeUM\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeUM\xbodloc.exe

Filesize
4.1MB

MD5
cce594cc3d0489e9ea8901cb0aa0c270

SHA1
e6b2a026309ca626cce1861cda50bbab19f66ea8

SHA256
2eb1099d5bbf5c6ffcb4935c47ad227d3ac5563c599065178c3bf0174f831260

SHA512
328602a9cdd4bab4407b6b1d0bd9c3bca664274f159f02e3c825d1679eab9e33f499a372cb7e4e27858902ae7f4ec34977893ab26ef8506c194dc10ee3b88d5b

Download Submit
C:\Galax5K\boddevsys.exe

Filesize
4.1MB

MD5
b43a49d097b920aca5526a3216425825

SHA1
323790bfaec71edfba2a62df13e14085be966701

SHA256
55cf63035d8b00b6e30452cfeb20870a184b8e277991fbbf7027bbae76fca08b

SHA512
8f270f38c55e9949e96dcc4e49f0e4f4cc9f9bf8433d5bb37b131f42b88ffcd6227934f8a9acff09d3ecb3addcf099f8f4767eb5ad25516bc6e908f50ceefe6d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
1fb8257f45f9076f8d675dade9ae5b39

SHA1
d0f5e9a10a6f1507ab0d9c52dfd5e9160f9ddd6c

SHA256
ef890a7fb31d574f7a26cfa17c03afedf158892a2f5b1bede693308c7090d68b

SHA512
0ae8d9c602f15279fb7c5f837efad3af49105051b0732333f9049d70c2d84469bfdb58a31ebba5f9dbcaa0cfb59b87279bd50958206466d4a0c755a8bede86e3

Download Submit