7d64a26fcc2ab072ee6e4b538cb0f7753971c4f8b6dd5260ceacf24477f7ca54

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
Size

4.1MB
MD5

38fb35d2710c5ce59a5ff040769d8e50
SHA1

dd3898ab8c661427df532af208cb66f89fdca7ef
SHA256

7d64a26fcc2ab072ee6e4b538cb0f7753971c4f8b6dd5260ceacf24477f7ca54
SHA512

847bfdb8f372f266a9144ddeb17b9bdac6e8863de67af1d0f8cd1f6a10db659f0f92ce87706f6ee920d690d8653f499a45d4cd30fabf95b619ffec8d9c212249
SSDEEP

98304:+R0pI/IQlUoMPdmpSpX4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmo5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5020	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOU\\devdobloc.exe"	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPG\\bodxec.exe"	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
5020	devdobloc.exe
5020	devdobloc.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 5020	3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe	88
PID 3968 wrote to memory of 5020	3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe	88
PID 3968 wrote to memory of 5020	3968	38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38fb35d2710c5ce59a5ff040769d8e50_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968
- C:\AdobeOU\devdobloc.exe
  C:\AdobeOU\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeOU\devdobloc.exe

Filesize
4.1MB

MD5
565288ff2438805422eb330b436442aa

SHA1
75dfab8e62eddc281533b8556bb7c05422f11326

SHA256
8e593c900cb468b414cb01e9be0635844b6c15e8aa9c0125ba95bed0b31bc56f

SHA512
227e69c64ce7f40de9171012b84a9500b7acbfa4b7b6923f0c746f00d9d8b3e926b2b7886060dde4856372d9f000dde7cc18aa9df19af8538fb9cb43cb3db81d

Download Submit
C:\LabZPG\bodxec.exe

Filesize
4.1MB

MD5
7d812581ef1add29282587f6be6270be

SHA1
85f0167aee57400a74bad5032c59884d7032acaf

SHA256
452c73eafcea18fb81165f30d8441b6d43c081c05a92cd3def313edd0dc88cf8

SHA512
b8eec05edf92caacceed42a34d8da1fc3d030ca18bfbc3c331b4ef8a20763e879841f4910c81bc7570f2c42dd6cad8681a86d031f54adc420707674c73ce3c0e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
d696a1acd65b797213e232a98fdf6e4d

SHA1
89f3efd6ed848b285c19f6c5c8648053f3b38d20

SHA256
dbf0f31e10079224dc4889097daaca25b2d4b83d2f19bfe0602029095bb57e63

SHA512
a333dca6a2fabc10acba47fcc623e8bd2c4616ba626d6edd870e990b8169aa8850f7ebaa06b30311f3edd0b302a8abf7f731c8085dc5c1d3ee3d72f90a5d5831

Download Submit