8ea6d857f8e8f2557d10bb92b82afee2760a92c5160f6a153db9594c75005b87

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 09:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
Size

2.7MB
MD5

af81a16e10b9e152b8be345ea1edce50
SHA1

35414c70d2f5e0681900eb2ec158c78e99ed19a2
SHA256

8ea6d857f8e8f2557d10bb92b82afee2760a92c5160f6a153db9594c75005b87
SHA512

7d5855d70d97e8405a6a7f1f5bc59c1f1f304e499765d42a109299499ca95ee91d6bd91b52d9a01379f6d30e9c249d66597f6f3cea932e0fa8227ac3d19f889d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSp34

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2H\\devoptisys.exe"	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRM\\dobaec.exe"	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
1992	devoptisys.exe
1992	devoptisys.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1992	916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe	86
PID 916 wrote to memory of 1992	916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe	86
PID 916 wrote to memory of 1992	916	af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\af81a16e10b9e152b8be345ea1edce50_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916
- C:\UserDot2H\devoptisys.exe
  C:\UserDot2H\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZRM\dobaec.exe

Filesize
2.7MB

MD5
ca4ad5eea19976cae47531c9f5aea296

SHA1
ea9a7b56fa69bdfd3fd05116bb07747d3bd871fe

SHA256
a30f6b95e6eef00c25f34c2aca8ab7ec9057300b1c3fabea2a6a6be2963b9f7d

SHA512
d055dc3b39e3f901104b210f7ec11bfe46c6f0f54599271fe57bbd7a8956bd4c9fa5ba68819855870716cf85357b0a222516514df150a2e4f5ecfde836d2b674

Download Submit
C:\UserDot2H\devoptisys.exe

Filesize
2.7MB

MD5
8f73f497a9753efc2663ba6e1f904a09

SHA1
ca21c25eab6276e157610ceebcdd4af177a8210d

SHA256
7797af6a85beb9d0302763da02cdba6442145520894fb5d689514661ae3fba81

SHA512
1c16a6e6eb0cc762872ec4fa7afab832531fc01ea11095044d452cba2c0a0a203dce6763b04a14788d7e3041e084c699541036a4002ed34f31ef157209772054

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
f87723219e68ae5dbbe9e045c2f9e2c8

SHA1
a90d23bb19bbccff4172f37ed4e6df751929ce80

SHA256
efc6c383d83a9203096acaa54030cd1a49bca3a8f271dadd88474a4ab905c574

SHA512
1bfa0ae9e15b42c50c898df34d8b396a20155492b8fa3125d8b06401f98b978295cd8986589dd917b58cf4107adc5302252c6722dc6594d0599de973eade1189

Download Submit