a73b5c862fc9a88c68414dbf1962501f9a2fa8abfbe57e4836ef26946e4479e5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 10:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
Size

4.1MB
MD5

c822680a0ec6f739280c427738bfde60
SHA1

57ce179fd2ad0395ba86e3932b1af8260e96910d
SHA256

a73b5c862fc9a88c68414dbf1962501f9a2fa8abfbe57e4836ef26946e4479e5
SHA512

c0c1b962ae1dc6b055a9c4223e83fe986e2921fe06cb876d5f70a938ae71217010a4afb0cc870814a4a04e577e7685349330356160d22ab04450d841ea4bb797
SSDEEP

98304:+R0pI/IQlUoMPdmpSpd4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmu5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2364	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotC1\\devbodloc.exe"	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFT\\boddevec.exe"	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
2364	devbodloc.exe
2364	devbodloc.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 2364	3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe	85
PID 3696 wrote to memory of 2364	3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe	85
PID 3696 wrote to memory of 2364	3696	c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c822680a0ec6f739280c427738bfde60_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3696
- C:\UserDotC1\devbodloc.exe
  C:\UserDotC1\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2364

Network

DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

88.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.16.208.104.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

88.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

88.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBFT\boddevec.exe

Filesize
94KB

MD5
fe6c789bbdb6162729a61150adbf5a93

SHA1
636f33368183d91a4d45faedd86599d1f3001037

SHA256
8dd34648f64c3ef52245bd88b1c33fc65900f3326a3418ba942a7c4460200f01

SHA512
d80585afe386782154329dd57d0fc2098a5c9763bbd5e89717f1ba5971455b715e094bd9e83b7ecba31f6dd5c0121afee7aa9a60ad627c59f34e2f6085d39eb1

Download Submit
C:\UserDotC1\devbodloc.exe

Filesize
4.1MB

MD5
c545e3aff53cd6f1492f3fdc0b2154ca

SHA1
f291195ba21efb0325aeaac8a4f574d2ea2696e8

SHA256
221090a5d4d3e7b4be78f4e59a209720e02ae956454ce355cda10a11dad73e6b

SHA512
aa5bc31327994bf5cd6ffa6e04d4de8cd70ed611dabd3b078b88114865d4ac96483057f70f1dd1aa6fcac584a361a7fdaa55f7567a9acadbbbff6ac7451b36ec

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
83636ba02ffb6cd79f5899969ab47eb0

SHA1
2e8bceaa1025727f0ca6b72ad08610e196db09be

SHA256
f3a074ae4357c9834095768583b7238e8dadfd3297255587cbda887afc515c91

SHA512
e89a220f3bb0e2d6a432572b2c75586442999f4a51e7cb0e1f97cd06bf79616c41db8ed80ae0dc3aa203c48271cfc1c583740d166cf714a90cd22c424b12d256

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.