d14c5d4e24f85dcb09fc6ebd1ba2ab6bd29f39f8208f6932a8796268a098986d

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
Size

2.7MB
MD5

542d69c33ac979581c96d063d90db050
SHA1

f42c32c497e0a24c85c5d632c9aea14616710871
SHA256

d14c5d4e24f85dcb09fc6ebd1ba2ab6bd29f39f8208f6932a8796268a098986d
SHA512

7553632a2318410946da56fe08cd9238fc31469f8d923190030d9088e32e4e3d8f5ed42fa2745f471aada0b5701e6cabdbeb06803acd450187e4456156f88025
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBM9w4Sx:+R0pI/IQlUoMPdmpSp24

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1088	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGP\\devoptiec.exe"	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHT\\boddevloc.exe"	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1088	devoptiec.exe
1088	devoptiec.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 1088	1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe	81
PID 1328 wrote to memory of 1088	1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe	81
PID 1328 wrote to memory of 1088	1328	542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe	81

C:\Users\Admin\AppData\Local\Temp\542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\542d69c33ac979581c96d063d90db050_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328
- C:\FilesGP\devoptiec.exe
  C:\FilesGP\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesGP\devoptiec.exe

Filesize
2.7MB

MD5
983fffc48fbae449dd207f5b76893205

SHA1
f12d2336a7a1846cad3cbb14fc4821c5e98833f2

SHA256
4e30bed8547f689fad2f7558c7a14d92205ea4b97e541ba15817d95e88c67f06

SHA512
54bc59e8360b9a61b416cc5a4205a8c827d01d0b1e9c03284346a60f0488bdcf2f31d293a9c5fd8eccd7af8f93d940ba050ccc93c31b040416d9110e3ad32c93

Download Submit
C:\KaVBHT\boddevloc.exe

Filesize
2.7MB

MD5
5bd8e54b798b1b97baf99f422bea4923

SHA1
d97d7e3ccf876f310113eda14697e67e62e4f385

SHA256
9ccae74f0cf5ef3e23800e998fd84ebb9dcce2ca6fdcea42eaade5d043d8ab01

SHA512
455d2caa935550a97d9a24a1b45a2d5e18848f047e1f2f6a3c36567aaf9b494f6e76025d03d6a883fd8796f6a5b786ba9a3619ecf8909d8c8994f51b82166001

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
9f7578ef9ac822a7e19ff2436172b596

SHA1
bca2e71497f30e7e7d8a32b82f7b7146358845b5

SHA256
4fbde3e3d0f8751bbc0ebf714692ac94c5903f1876084e2b4da3710e7e997d67

SHA512
011042b4857106d521d5a7060166d2644c0255040eca8afcbe8292aca8d192383379e99005d8dc7230a25b8ab1068d6a64ee8b03ddba9bb9fda691bb3d160bc8

Download Submit