b21a5119c4e65cd14abeef81dc22eecf5922876e0f5850cd41b7acfa932b92ab

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
Size

2.7MB
MD5

0a14714c3af2c4261dc90361955c6c70
SHA1

085429ece8217bc8da11bec0e2153ea47e5cb3d6
SHA256

b21a5119c4e65cd14abeef81dc22eecf5922876e0f5850cd41b7acfa932b92ab
SHA512

c38956f345b0308d273036f91ba914204ef406dd927d24f753e241b882ab8293adec74481154fa835cd4bb3285bba42e3cb34edebefbbb1bc79197ecdace5ff1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBG9w4Sx:+R0pI/IQlUoMPdmpSpo4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1964	devbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7V\\devbodsys.exe"	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBY1\\optiasys.exe"	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
1964	devbodsys.exe
2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1964	2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 1964	2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 1964	2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 1964	2128	0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a14714c3af2c4261dc90361955c6c70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Files7V\devbodsys.exe
  C:\Files7V\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBY1\optiasys.exe

Filesize
2.7MB

MD5
fe1dafca4f35b260893b473a57eb8a06

SHA1
35e9b1b0b86e0c474b4e6ea314f5d62339a69f62

SHA256
537014af293152e8fa165b3c12a415afb856ed895295a090f4e260e569b3fd03

SHA512
8de0218a490775cf3f2a800e624ecc32c1b29a3e3f6bf2e2a0233c605f35c23d2cab07ace708f3dd3ce1ed04bf91ab95ca0d0ab82dfb6061c745f38cf1ab96b8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
c52f449d369f7271d14a7baf75c89f99

SHA1
69ea9d961c625899bb529ff6185f0f7d25036f7d

SHA256
0a6a740466dab353647f3c6705cb05f9d6c3aea3176264c714210741e1f837aa

SHA512
a460d6072f6b040f13007429fbb6389ac6cebcd47d898efa6d735cbfaa792e4d450a831b7c397197e6d596e6f8bf621f2ddd22ee3e7db26aa571c4278cf5b55a

Download Submit
\Files7V\devbodsys.exe

Filesize
2.7MB

MD5
11d8bd1063850f09ab47a42dcfb44f5b

SHA1
eeb0079c9fafc089ee11b4596dc084b38646edbf

SHA256
a5ae2d6d796a049eac765f15409bf1c2728204f00af590d798c3f55b19e3b183

SHA512
f59c20a331ac78c22680004f550fb5f40215730a8c8d71ee265561eba951d2006542f7eaa4abab5cfe0b5dc2d727f07874e1fb0a11a02b38970c1ffe0f98b675

Download Submit