779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
Size

2.7MB
MD5

99a06e707688d8b31a1baede6e7db2e0
SHA1

3036553b3761cce90a620ed62ce1f0983a0d577a
SHA256

779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14
SHA512

96b49ccdfd4f51b65660d5a408a884c8b8faa7ffd0731ebc712dd299ee4275d0c390b21893a41800ff4d651bee59cab500bd973269e05c49d8842bb227f4d742
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBF9w4Sx:+R0pI/IQlUoMPdmpSpR4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
552	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4H\\optixec.exe"	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot72\\xbodloc.exe"	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
552	xbodloc.exe
552	xbodloc.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 552	3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe	88
PID 3164 wrote to memory of 552	3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe	88
PID 3164 wrote to memory of 552	3164	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164
- C:\UserDot72\xbodloc.exe
  C:\UserDot72\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot72\xbodloc.exe

Filesize
2.7MB

MD5
af0503fbdf5af4dbfbd333e996be2a02

SHA1
930ee329ac94730637bb5b7e1afc695f215d7f73

SHA256
8c87bdedfae7fdd36dce3e2cc8ee3acf0145e27c3aba050e668254613ccc68fa

SHA512
26d4851f439a769f42f70c7db6aca87591f157316ce4d21f038d48b21a56218b566804e9e0e4fd2568444d693fb5665db422785bd796c5ea280c57585843736c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
b71b0a653766d87ca0ef70b0c2796bfb

SHA1
dcc9d97536757315c93e4b277878e41f600b5e68

SHA256
0e40960ff21872b424455a78850f4290989ea1a247afe542f1b993711bbe280d

SHA512
5b63beca6a8fc728cc12968d0cb6f562c33bc19f9326fd58856641553d3c57a17b4b714cbbf33e770a213d0309d37f95be33239bdb68743f5a65694518cd7c0e

Download Submit
C:\Vid4H\optixec.exe

Filesize
308KB

MD5
4b09d06dffadbfa3b3bb2a6796bc7571

SHA1
1a32ab997e6198454dae53221ef3759ac0374cba

SHA256
bdd2057f417d9687f4af48907f3194e7f86ed56a10f755fdb2b66aa71d8c71cb

SHA512
9b7757942bdff2f3a7b3fd35747e33671d14efa5f8d6233d156444ed126fb4e3dc21a12fdabd3e23ae971d4a4affce48f57671662113eb9ffb58d931aa72502f

Download Submit
C:\Vid4H\optixec.exe

Filesize
2.7MB

MD5
d142eb165bf40d51335344ac01fbe109

SHA1
d0c1691e7518974dfee16b49580a59595452593e

SHA256
e7a7da3bbedfcc3a0dcc36e719f8e5fd1d9f63b1557c5473d3023a49364d5c41

SHA512
89d6e3537d3f6dca582404a1a098d153c5b6e89d32539d13d24a289cbe5fc591ae62a5d64b234749d9e789c7eec7227a4a6125a5c9564723022300e692c91159

Download Submit