74ab3413a2b145403733c5a1e7701a61206f6fea730e5ddc3c43ede8b54e0905

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
Size

2.7MB
MD5

eb334561ed82e15fb96e9a35aef0b9f0
SHA1

3c2342f40a375f23277b72ced19da4eb12cc58b3
SHA256

74ab3413a2b145403733c5a1e7701a61206f6fea730e5ddc3c43ede8b54e0905
SHA512

004f76e3d9009bf7ffb5f8aa61d923eec1111ac742515534511ba83078fd3736655d921b03eef9c7c68dd109ebf09460665596907f5cc2e955deead62fbb8237
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBn9w4Sx:+R0pI/IQlUoMPdmpSpT4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2132	devdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4R\\devdobec.exe"	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintS3\\bodxsys.exe"	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
2132	devdobec.exe
1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2132	1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe	28
PID 1148 wrote to memory of 2132	1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe	28
PID 1148 wrote to memory of 2132	1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe	28
PID 1148 wrote to memory of 2132	1148	eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\eb334561ed82e15fb96e9a35aef0b9f0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148
- C:\UserDot4R\devdobec.exe
  C:\UserDot4R\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintS3\bodxsys.exe

Filesize
2.7MB

MD5
6fe4ac805ee263d4e4aea80575c5a256

SHA1
d7f2a51df5aa5a382934a8f2750a074803193ce5

SHA256
9336318e93e9aea65a1dfedd2b2337f88ca6a0b3f06993fadc736e5283695fc2

SHA512
6edf6ab10745cb48cbd31528b1db2672ac73a7f55eed4feea363c8b2aa0e47dfeb26b866548c1551cb53b86f8050fa398f6ffac8be8e4f59511dbed4e401d105

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
f7c51abc0d5d4b0e7f1753a319804657

SHA1
03e80e80e45640b8a65c32f41d6507a71e28b448

SHA256
8d49b739dafafae008164397456d054e5c62679fac67d216253db2d8e074829e

SHA512
d71f235b7f6c66b44b17beeb4355cad3ce3ab17db3f99584a4f120d62801eebc3a490191498cb07a34d169a93ce837e777b7e8291c515bea63ffd639eef8624d

Download Submit
\UserDot4R\devdobec.exe

Filesize
2.7MB

MD5
a8ec2c80429f21a2a3d5ecfa1c54657b

SHA1
353085fdee92a101d1caf15d8f224881362d3e44

SHA256
5120442ca920cd2b71d1667c74305879c9e23e50752a2991e2e398a6c06db211

SHA512
4b0eb7f3b8dcd59569f3b4f01afc234bd68541172a992f86bca70a83f96a54ef663bcb57aede046942d443e5f0e0009d1c6f9fcab95da29443378b5dfc8b8bc8

Download Submit