9537d7c07f63c447d2083234c32f661a31469d15416c657546ca848d1f2a875c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
Size

4.1MB
MD5

302b5b0e4f8ed7f4985cf48aea5c8070
SHA1

11403d929ae3261908be7b269eb465239bd6210a
SHA256

9537d7c07f63c447d2083234c32f661a31469d15416c657546ca848d1f2a875c
SHA512

a7812aba58fd3f38bbe7aa1a9f098ee3e83bc7adf2cb6ea114ce96be8cc18de99c8872cb38e569e46f43c0bc3932a38e9074c3d2e448d0272cba3862ae14b937
SSDEEP

98304:+R0pI/IQlUoMPdmpSpR4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmu5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2900	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ1\\devbodloc.exe"	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9U\\optixec.exe"	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
2900	devbodloc.exe
2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2900	2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe	28
PID 2908 wrote to memory of 2900	2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe	28
PID 2908 wrote to memory of 2900	2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe	28
PID 2908 wrote to memory of 2900	2908	302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\302b5b0e4f8ed7f4985cf48aea5c8070_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908
- C:\IntelprocZ1\devbodloc.exe
  C:\IntelprocZ1\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
c08132da50334e53e92580f40dd78357

SHA1
c6456941d1eee343fbcda3fff52a32c6712fcb2d

SHA256
d20f91e2495a48d9434c26b8a2e9dc562c10e10c1c248b1aad3f9341e4315901

SHA512
97b6e3e8414441d6cd476130595a2e3c8787612f771bafbc76b202e787915d3bd0dc1d7b5c34c24fe98da69acb3facb98bc81088459da019aebbd7d868b33e05

Download Submit
C:\Vid9U\optixec.exe

Filesize
4.1MB

MD5
03200e12e5c6e5751c58aa6e9281c566

SHA1
e33958539d2d93e0b6f897878e0173459ed77acd

SHA256
5282a72513460708870a629bf81bafe8a90b7e3ac481a9c6031a31c70f5525a2

SHA512
82f12136e1d2e24002d472534c2475b2120c10b1e3e69d7d7ac17d63324c8affafbb996fc3356aec5b12e799fc6c8aa7bcc2dc5a3c51df739b644f78cfd620e8

Download Submit
\IntelprocZ1\devbodloc.exe

Filesize
4.1MB

MD5
b929090bbba0fc6aa76f338981ee1b7c

SHA1
de2136b780158f0606db144bfb7e163520c81aff

SHA256
88b948cd50c1a4175986fe15f4c0cf78402a08eeacd875b0ed78b17ce1293acb

SHA512
947a5bd09d0b75cd603b11890927cf415048fa77ddc7bb0dc5404b51fe0bd2984620d44e8052a0b1d78c057640b06f692e9b4aa17ec4db867c1c9c54e28b9f93

Download Submit