4019e3c24599bc3cab08d6ec5b7ec5cebebd8c8fcc13d8c323108a45ddde1c24

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
Size

4.1MB
MD5

c4329085e6b51e382d7536bfa2c63f30
SHA1

6e915648ef6490e06cb434ea671de15cdcd19252
SHA256

4019e3c24599bc3cab08d6ec5b7ec5cebebd8c8fcc13d8c323108a45ddde1c24
SHA512

a3da4526e9604ce182ee148f3f827c250417a1d5eeeb27df074450658e8fc47798247f131d1903dd10e0c134ead4323af01b106352b8cf02bc9d121b58d35065
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmg5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1448	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0L\\devbodec.exe"	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7V\\bodxec.exe"	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
1448	devbodec.exe
1448	devbodec.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1448	3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe	88
PID 3316 wrote to memory of 1448	3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe	88
PID 3316 wrote to memory of 1448	3316	c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c4329085e6b51e382d7536bfa2c63f30_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316
- C:\UserDot0L\devbodec.exe
  C:\UserDot0L\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ7V\bodxec.exe

Filesize
896KB

MD5
e2e5a7694d9a1fa312d7d2335e46acbb

SHA1
f2713693019e1038a41e181c13fd9e011ad95f22

SHA256
9cd36c7a3b68a117667169a499670dafbb12c640da703422cec588f2a5f30918

SHA512
69e129ebf6cd05c9022fd1bab8fe31fb37c9bebe1c9807086515ba44056b1c866ce62e426d0b0a11963a6b3eb0e736ac49f4d59c4d58963466848e628a4a07b9

Download Submit
C:\UserDot0L\devbodec.exe

Filesize
4.1MB

MD5
d1a703800f1bdd18d31cddd14d186916

SHA1
6f104add09cce5506447fd495734500685eab580

SHA256
c79aed2bb34deb8fc78264e44b8fb865820b877df2df29928cd698dade2ae690

SHA512
b49d668fe679e97f561b3756d91149b1c8b18ddafab68897f3ba3297bc34a70585d93dbb12b37eaf1ac4235ad37ef08402d348daf819e24e60a14664cbdf5fa4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
e038b2647337bbf6e7d06b619271767b

SHA1
f4e3751d1451b956dce9377aa7914fea51c5e8c0

SHA256
fe6f8802e8eee1ec50f89a2585e210ac26a272126ac9a49952d8e6dd47c3d9a4

SHA512
53c7e01058ca4b5b37a7b2c5aa113cfc8281ce032208a07b057e62454bd24fc548b444cc309837f4246785a0def5985b4139c3c0609a25aa663d54300d5e7b25

Download Submit