2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
Size

4.1MB
MD5

8f1369ae44d1518767649e616da8d5c0
SHA1

34021d0e54e5d3485606a7f3beee2f915b18cdcc
SHA256

2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834
SHA512

448b9aaca2dfc52f760a3c6e20633aa6a8ce9405ada1d65de268d17b97aaab43a2efa70fa3e36bac3bf6ef5e48a5ef53e50782266372d1128a832edad2a93913
SSDEEP

98304:+R0pI/IQlUoMPdmpSp34ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm05n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2932	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotB5\\xbodloc.exe"	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid19\\dobxsys.exe"	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2932	xbodloc.exe
2932	xbodloc.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2932	2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe	81
PID 2448 wrote to memory of 2932	2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe	81
PID 2448 wrote to memory of 2932	2448	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe	81

C:\Users\Admin\AppData\Local\Temp\2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448
- C:\UserDotB5\xbodloc.exe
  C:\UserDotB5\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotB5\xbodloc.exe

Filesize
4.1MB

MD5
0f715f6b0500e358b1a5625f7af295dc

SHA1
f4fb52c1cf321bf4b774511b06a3946bd6a4d5a3

SHA256
561472d428c912d4c40b15428be3aa455bdacdb9ce70d6941b89f005e808dd95

SHA512
f2202fa32e339185670b0fff722eda874410f873af7529a8f3f804ca42a3b03f537481da501ec8fae70872edf534d9c018b38ca5b680d3226561c43db7280dfc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
1f0008cbb42e8f655baeb909e8969f66

SHA1
e12b053b63e1762d6de4f943aca665667382fd81

SHA256
513402573f6235ff76485f694cd8cbc956b9a736f0ef100a28fd649678210513

SHA512
059cce595b9a1daa620a8a2114b1f6669d926e02982832e415985685650106fb2219111606df1cb043aeba6de5a4dc8c782914ecaa5b8be417b9842e0ac3ffdf

Download Submit
C:\Vid19\dobxsys.exe

Filesize
4.1MB

MD5
e0158f2c4ff9788600db02804711ddd4

SHA1
79249a98e1c997f9f4f9def84ea5017a818f360c

SHA256
ceda2b278eaf1cfaa88a3f4b92ee39942eef0f8bae1efdcfcbcff669d2ce76c7

SHA512
2065259694340ddb4ec9f25bc0e001d576490e1ab1cbed3a5e0346d904d31ce0500506b594fdc8fd9d4111fa534ad6e04ef81105e7aac0ded6bbf3beaea551b6

Download Submit