891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
Size

4.1MB
MD5

78d0e89b677dab72bc401b2841a97da0
SHA1

da8274142a4661a0f5b6b1824a22e3ccaad177e8
SHA256

891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024
SHA512

b05d9c3ef3f605da3ad1f80745f40bc8659114bd6c67bd3c398f50587e60a0f292484a223e8fb9ac7b7d29b2df85a4c86ab343f7a8ec1ed11a0eb748fe8bf14f
SSDEEP

98304:+R0pI/IQlUoMPdmpSp44ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmf5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1328	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZS0\\optixsys.exe"	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8U\\xbodec.exe"	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
1328	xbodec.exe
1328	xbodec.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1328	876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe	80
PID 876 wrote to memory of 1328	876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe	80
PID 876 wrote to memory of 1328	876	891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe	80

C:\Users\Admin\AppData\Local\Temp\891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\891b9a4353c5c8a151ff56ea3f40c53cf5f2b98b6b149bec78080f40c9501024_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876
- C:\UserDot8U\xbodec.exe
  C:\UserDot8U\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZS0\optixsys.exe

Filesize
4.1MB

MD5
db28e35903a657d97ed2a278cf073820

SHA1
325e961a2f3e30cdc7eaba1082abaf04a4a670aa

SHA256
0d5641f072853deaf3e9263b2a74b3c4154c4ff61a2ad811345c88ebbd99da94

SHA512
909f8327ef612fe41bdc4ab5ae9c8a3473445552d62c9a00628d4c736eef1cad60e361a4ab3e6d4ab3c6e7dc8de5ee1ff3fd13db2f7b8092ace4a41256fffbf4

Download Submit
C:\UserDot8U\xbodec.exe

Filesize
4.1MB

MD5
91f72caa3172e3b022a070692469ff24

SHA1
f82ac03efe7986ba6976025f1882f08b867ab684

SHA256
e495a2afa3b134545b379ef87b75387711b8a65e9d5e5b671c081c8b95999738

SHA512
2606100385f19ef8ee694bae96ae8f99e0a81e4425ed45c656d6e4d6ba650fd63c50b7ab853e19efded5fd5f9d10f2cfacedd3dba0af2df233df75da2930fb6f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
200a753f308548223ef47ed8d5046689

SHA1
e902ffbeaa8d5d3aa40c0bafc3a6b1cbc9db0799

SHA256
3d33b19ff2c58bbf2f75cd59820081f65d7ebed0c0c4fb54a2f9ff533fe95302

SHA512
3ebc3b6cc662a50835cc542f88e384000c36ab8311eb23d2bc3fb0d7efbaa4383b8af61bf8148d03b6f3a952c25854cbc191e4aa171e4eb7e8cec832d0325958

Download Submit