034b16e816c4cc610094035fc9d0605faf446772cf436677a6c5c1d29ee68bcb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 03:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
Size

2.7MB
MD5

61cb6c87214523e78eae497d68298a40
SHA1

0381d6d0c4488146d06686c0e462cdbe780c7ec7
SHA256

034b16e816c4cc610094035fc9d0605faf446772cf436677a6c5c1d29ee68bcb
SHA512

8e0de490a5f81509145808ff37b3f3a53128f5a2f9a38b934161b8b31fc973b5c64741a1ffdf5781c00a014a3e41fd348d4e7572b769c8691222965bb3698455
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBW9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1692	xbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWC\\xbodsys.exe"	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIR\\dobdevsys.exe"	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
1692	xbodsys.exe
1692	xbodsys.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1692	5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe	89
PID 5052 wrote to memory of 1692	5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe	89
PID 5052 wrote to memory of 1692	5052	61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\61cb6c87214523e78eae497d68298a40_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052
- C:\SysDrvWC\xbodsys.exe
  C:\SysDrvWC\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintIR\dobdevsys.exe

Filesize
172KB

MD5
54b3b53477f419aca74eb305b93b9b50

SHA1
838162158a4a5d862e1b6be8c8ec02e7ebd12c94

SHA256
cbe627f9fdd592761178b67dff64df690432e16ad4196182d5d7856df1fef065

SHA512
7395158e5f093c90104c75a4bcda0cd68a5822d38df32c726a33a5b60303ee7ecb6b409fb40d80c4b7ab6a410139c6bc555f2e5fa53c84c4a91715b77f04f887

Download Submit
C:\SysDrvWC\xbodsys.exe

Filesize
2.7MB

MD5
c1e4b157ef667af2aba72b3dcc3b42ec

SHA1
3f75ce6ecc3a2b74800958ebad0f1854ace4ec3b

SHA256
1dfb5f5e5d2562c6be2fc8434201784bf24815346fad0cf4ae3275f6dde7315d

SHA512
9b80f3186e05c58500017d4a8dbab1ddc398962799122f87712c9c31bc26bd84db17a42c68c0e348a734cae39afc446a7267b23b920a3980e983853c09815d88

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
196B

MD5
a2e539539e4047dc737dc91a6d5ab22c

SHA1
3877cca53f4362e48123766a27235970e620eabe

SHA256
6bd8303f4c49e73a201d47788c1fca1b9d70c8e3da892e1dd5b773abc6db3210

SHA512
ecf4a4a4e17375781812ff85b352309dee7ff6fa8a51ef03d88e15e25fdc239a6e9edc6e4261e5671d69599f2a1c5d9088d435f36fccc5aea7fe01ae85aff310

Download Submit