c5e087749bb0acf1f338de0de0e6ab5fdb598e7ec0caa90d067919352641d133

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
Size

2.7MB
MD5

828bd11548e69f1db30c36f2491ee760
SHA1

78cc2d5da89e5453d6f0fc27ab85ebe91f9981e4
SHA256

c5e087749bb0acf1f338de0de0e6ab5fdb598e7ec0caa90d067919352641d133
SHA512

607a2d39b6d89efa63d6f8b880b4e606aeabf6ad32778a978e22b3b1136ccc1105512245495d3b1f678074051ee5d44fe89e6c124108b16048adc42a9ca6df9c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBZ9w4Sx:+R0pI/IQlUoMPdmpSpN4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
436	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6W\\xbodec.exe"	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ10\\optiaec.exe"	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
436	xbodec.exe
436	xbodec.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 436	4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe	86
PID 4724 wrote to memory of 436	4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe	86
PID 4724 wrote to memory of 436	4724	828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\828bd11548e69f1db30c36f2491ee760_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4724
- C:\UserDot6W\xbodec.exe
  C:\UserDot6W\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ10\optiaec.exe

Filesize
2.7MB

MD5
e67c1c5697aff76595eefe982648cab0

SHA1
b5e38a0e395553a90d9d294f2a89adccc31f648b

SHA256
4666c2715f2c53a98f0921f372acc060e819de8bfa33506ea9fa96db0a2d6df8

SHA512
10586c42fcb642f271ac9395e579fc87ef3343abfda1178c9fca812d0c3f1b36951122fcd6eb58d86ff5c3044974f6c6c76e79e03dd585eeea0aa375996f468b

Download Submit
C:\UserDot6W\xbodec.exe

Filesize
2.7MB

MD5
a61a422fffaee3a5ba97be7263a8d494

SHA1
54d98194b4fa6a171b753bc161f49bfe59ea4b99

SHA256
1c146a6a524d9a8e21a7fbbc2aa8e9047117f7bbe59e77904e978307a03e0c9d

SHA512
a78baa42f64dbf35876f3224bfc84b82133af91207d7b04aad14c50bc1d0e2363e83c3a9c9b6200abfb033dd463f3127f66c09ebe14323b11384b9d377ea93ce

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
b587b1c4c860431c5338130df621959a

SHA1
194c0a066d5ccde2f2a66b62d49454759275e2cd

SHA256
f724e3e293e5f288e0af98a3182f4137e1607977f8857cf417983af64f19d0cc

SHA512
4956bf3af9d3efdb2db10325e1f29d00290ee876340f080a84c4efc421eb9366863655b4ebeef05b833aa4ef270348c2784dc323a843b71e9881c7a52dac5a19

Download Submit