3ef53667b7e138ff04c97a5a3d53f9d55eb2dc976a08c0744666e3fc377a48dd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
Size

2.7MB
MD5

4641ea664b7646a5f62bc93acbc87e40
SHA1

4911fabc36c40e541893d3e8cb9ad49e7206c678
SHA256

3ef53667b7e138ff04c97a5a3d53f9d55eb2dc976a08c0744666e3fc377a48dd
SHA512

fb999d1330103592a4bd984b0606221585d2e621bc3115112bbe27be4f07d2ec67cdd1e12ae7da4619661e17fb71c4b97e527b0e9ab89520339c75c1c7c4d3f5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBI9w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3428	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotC1\\devbodloc.exe"	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFT\\boddevec.exe"	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
3428	devbodloc.exe
3428	devbodloc.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3428	4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe	87
PID 4396 wrote to memory of 3428	4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe	87
PID 4396 wrote to memory of 3428	4396	4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4641ea664b7646a5f62bc93acbc87e40_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4396
- C:\UserDotC1\devbodloc.exe
  C:\UserDotC1\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBFT\boddevec.exe

Filesize
25KB

MD5
a4ffa3f6514967c0a003ff7c14b2f9b7

SHA1
7c838d5e248d0f1b2c4b63e9b8bf7895f9944e8d

SHA256
312867a13d78cf177646dd16617ea389f196941947443d0aa3db5af82df1839e

SHA512
a14e62941a20b35e0225bc6dcf7751240b936274d4a15df5518cb68002e7bcc205d35c2dd8bdab5e23bda17247fc1c5bff8388579b4af8f4084452f56cae8e6c

Download Submit
C:\UserDotC1\devbodloc.exe

Filesize
2.7MB

MD5
c8f35a508568291adb5d07ac2e157ed8

SHA1
047cf0426af2aebb30547525cc3afde80b24d84d

SHA256
fc253f8124b447e3fbbe31953f33d850fef7dbc51303a1d2553d33addf21d853

SHA512
720e151a7f565e5637bca2caf4e78fbec9dc531e2bc65907cae8656a2e1d0a8b5d86475afc7e4e809f4f128914b6969138c22266d0993899bf5ac9cb2f5ca504

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
2d9f8d22f856bc2ac87831fec0857e6d

SHA1
b89df671b43f85a218a6c47134aabc3b09c65c15

SHA256
44255627437a4faa7bae1b9ab6cbae1d5621ccf5c36e2372f2e451bbd11a3469

SHA512
aef88446ef03965905a6fe2f71ed9df94a07914b15077d2df377c2a928adbe55ced7129141509c2b0d280c5ddc95fb648df6407d0b262dbb1f9f6d5c290cadbb

Download Submit