b139baf987daa555d278e009e018aaa1ac3f671de4622d4ddcd42b3e737ae8e5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
Size

2.7MB
MD5

a1f78f4eefcc590b864e7c2cb2342d70
SHA1

259b61deca61bfe062328cfe40dae6d6ef41ff55
SHA256

b139baf987daa555d278e009e018aaa1ac3f671de4622d4ddcd42b3e737ae8e5
SHA512

803ba5cfeabcc8dc6a9a06fee0cd4058c40e95586673c13c4b836131dee0e0f8e0a1cbad30bece8a1384f3637ac54f5cfb22fa2939eb6a558864e78845f08306
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpn4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3980	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYR\\devbodsys.exe"	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidLJ\\dobdevsys.exe"	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
3980	devbodsys.exe
3980	devbodsys.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 3980	1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe	88
PID 1564 wrote to memory of 3980	1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe	88
PID 1564 wrote to memory of 3980	1564	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564
- C:\UserDotYR\devbodsys.exe
  C:\UserDotYR\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotYR\devbodsys.exe

Filesize
2.7MB

MD5
94dbb20523fb142f7c18965cda4d94f9

SHA1
8b5b04c30b6aa48047d40a58e7e82a7219ada870

SHA256
235216e89bcba5daa8257aa83b45197d5f795a0eec36241d68ed7016b2a52b0e

SHA512
f5724c1aaba62c3135167f964499c63c090a291098023d0dc21de3011cf85bd061d0438b50be4fb9546ce7278b350e22386568bd97c6fcc5cc95973a60f46436

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
492799cbe34815ce842da2cd64e67b38

SHA1
6505a9b1572729f3c7101ee66860571d9fc9e406

SHA256
267bf06355fd8e3249449f770ae17a4b4f057e4d5b490be7dfdad7bbff965255

SHA512
9c4af34faa918397471f01a71a27e6e1b92627f0804c7e342aa58a326b58e8d151626faf07a21273d0c6af3ba7cc8ffdf269151b0fbbaa9fa525aea17a016556

Download Submit
C:\VidLJ\dobdevsys.exe

Filesize
29KB

MD5
6f2d49c5cf2bf7469896d2e0b88d4a97

SHA1
103dd13a045af8b00b30c35f40579bf976331c8a

SHA256
9ded0e51febb3d6edc5cd358b1bf2d3bf790b0dfc116e02f3e82d03a189a3fdd

SHA512
0ec62c74e48b5354450aca2449b66682234feafb93c37e939e30e9c6785810ca5c3e82f0b2a06f09715a867f91b6d239c8942d966c1c1ce26bfa0897c472c47e

Download Submit