79c8336b1d8536804909c10b175f4b563a42e4305af4fe6ead62a14e1b673f84

Analysis

max time kernel
149s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
Size

4.1MB
MD5

3e32949c0fe551834c2f6a45115c1cf0
SHA1

61ac8477142dc3a5d07224a51c74f84cf823eb8d
SHA256

79c8336b1d8536804909c10b175f4b563a42e4305af4fe6ead62a14e1b673f84
SHA512

3180d512a601370f0f1ec21be9df5950c6610a26bf6c5ad29b489b26a7f5c14da19ce12106a02a2dcb3fbfd02eed8b67b88c31496499aa50e20f64d787b8c79c
SSDEEP

98304:+R0pI/IQlUoMPdmpSpF4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmG5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4820	xbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocU5\\xbodsys.exe"	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOD\\boddevloc.exe"	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4820	xbodsys.exe
4820	xbodsys.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 4820	4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe	85
PID 4168 wrote to memory of 4820	4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe	85
PID 4168 wrote to memory of 4820	4168	3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e32949c0fe551834c2f6a45115c1cf0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4168
- C:\IntelprocU5\xbodsys.exe
  C:\IntelprocU5\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocU5\xbodsys.exe

Filesize
448KB

MD5
05bfbc1592066d5715a98b020ef5a722

SHA1
29a723da17f854fe31b77a9870f5cda20790651a

SHA256
3b4ae77dac0890a16f8842b16b04049b5887014705cd29dc703f0984338d3f82

SHA512
0c3f88ed633a60c4366129f6aa2faea9bba119ab551d41ec1aeeb3de84aa98684aacf7fc43dd76ddeb098ab7ce25f7e385617fa746b7bc364b6a87a3c0622896

Download Submit
C:\MintOD\boddevloc.exe

Filesize
447KB

MD5
23f54fb8fdf93b3b7ed2f5ba796f92c5

SHA1
cf9ef355857e58eb8719aabfa682eb51f8513615

SHA256
6d0df0945ac3302bd82de467dbb73394fdf7f44cbc46c87bafb57890ac4cbed1

SHA512
2d72e89b85b7cd644eaa601549decda669dc80e0d4afd8a82c32e402d260dbbc2663eb789615b62e32bb04b2dbd97072c5a3fafb7d4f68a428781dd720af7553

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
7fa7834437f3631ef79a8c3ceefbb42b

SHA1
92526489fda80f896cc599177146126c9a7db72f

SHA256
42ae7edd6d23f8c0321c3f1c377489aa0155b71e73ed1ac058882fbb790047c8

SHA512
843f2fdd0c45fc4f4417b962547ffaceb4730cbfa3c70a266dca836e5dcff9db41839d0903315a5a52134443ef74f7ea7b10e43ea7b79b86924d1c86838712cb

Download Submit