26ee8c7abbef66031f2033a8ba70e542c4e857fa5aa9de81ebc75bbd2fb5b3d4

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
Size

2.7MB
MD5

3eda31eba6c2817b136f4a27e78bbd20
SHA1

b587382f415551ef4a9e2b3c13f86ea97b45bb4c
SHA256

26ee8c7abbef66031f2033a8ba70e542c4e857fa5aa9de81ebc75bbd2fb5b3d4
SHA512

f1f4db713fe2576c118cd18c19287698eb9f5371e252fad9952e2d26842dfc8d4fe3b555d938f15deca42979872f522f82473328157bd12b4c37ed5d7c97b0c8
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB99w4Sx:+R0pI/IQlUoMPdmpSp14

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3308	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6U\\xbodloc.exe"	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4R\\bodxloc.exe"	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3308	xbodloc.exe
3308	xbodloc.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 3308	3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe	90
PID 3524 wrote to memory of 3308	3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe	90
PID 3524 wrote to memory of 3308	3524	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3524
- C:\SysDrv6U\xbodloc.exe
  C:\SysDrv6U\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint4R\bodxloc.exe

Filesize
2.7MB

MD5
a2e8bb6881fadd26f0217715c535f1d3

SHA1
92d9028582de0b325f3b15560ec08eb52ec4d104

SHA256
03833aa3ce38244e885f36313c546966822badf129298634c1ae591dbb60ae46

SHA512
07e53ec615f19cf5d77ffe6edd5931988d22edc5657e8493c660753e99edb4a79796c90adc1fa1be3d06b13fbe79353cd622e2df21b42b3089310e0fe5e1ef3a

Download Submit
C:\SysDrv6U\xbodloc.exe

Filesize
2.7MB

MD5
99485e3bf455b415dc0982c53e3d8e0e

SHA1
6c8ff23ec9c2bf83f357e6beba41ef6f7ca22e3f

SHA256
53fab6fbac11eac8b232ed3bdde48f4843e6fd1a2007f61e7e2a568f5b9087fb

SHA512
3afe157ef4299ddd8b30ffc6516411281c482234145f65bd2e8569f0a172fe21e707c5ba2d1e80d7fa55c0bbad23d2f7f1cc6a232686c72cd1f3c65d769059f1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
80ec20e3e796b3eda70dc19845a106fe

SHA1
4e250872e26d1497ba24d70a4f7f53c4981674eb

SHA256
112fc05980dbc351eb69c00dbddc67333beeef06bb55017aa2c173b468bc88b2

SHA512
51f6f9cf68a901b6f48b3ba9e8bf8f4506238a89c4e48f641f592188b732aa8535f942b401f9ec0c10daf2952e606c28c8c91577a6a4f237435151eba1fb792d

Download Submit