ccfa3b063c1c7789d9e737a2bf0c1db715affa7981d6945406b28c19c4ede0be

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
Size

2.7MB
MD5

7705c71b3222d1f4c17895bbcb863190
SHA1

434793fd5d93047793bd85ebeb31c018431195c2
SHA256

ccfa3b063c1c7789d9e737a2bf0c1db715affa7981d6945406b28c19c4ede0be
SHA512

580cc9952f42dfaad0aa68e3b1bd2577b599b10eed77455675ac5c69e2de6c496f68715624686bbba122037cbbd11bfbbb6ac06603e6bb6379e348578d3e7373
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBE9w4Sx:+R0pI/IQlUoMPdmpSpm4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1632	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAM\\devoptiec.exe"	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidKX\\boddevloc.exe"	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
1632	devoptiec.exe
1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1632	1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe	28
PID 1956 wrote to memory of 1632	1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe	28
PID 1956 wrote to memory of 1632	1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe	28
PID 1956 wrote to memory of 1632	1956	7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7705c71b3222d1f4c17895bbcb863190_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956
- C:\IntelprocAM\devoptiec.exe
  C:\IntelprocAM\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
efaa1d8330550f9effd627e3111ac505

SHA1
f5bff90f31bfb408a09ab72ab61713341733e577

SHA256
6cd291569479d4a1f2aaafb40155eec33fad65ba6c9b0064dcae2058ee62e591

SHA512
0908c6549ac67d6edc1551e59189f0a254e3175af029d1b881287a13c59b9b8062ef8039089bfcb5d9be3bb17d75ab6a475c8500839f0fb38017e6ae29c02279

Download Submit
C:\VidKX\boddevloc.exe

Filesize
2.7MB

MD5
a272daca3d3c5dd5062de7cd1bb02cc2

SHA1
35f863e9462ca417d78ff73ab47d707eb61c96ff

SHA256
b3f4594666407b0b19144615bad23eaaff1390eb5683432e14d05380e4b5fc11

SHA512
50d8fefb069faea49842873503358259cb914fb2c835b95df6dc087b76f97f5f9a0689312b85d7e77fef6d7d2f5e2b6b6ef4cb543c1150b9b96613974e477916

Download Submit
\IntelprocAM\devoptiec.exe

Filesize
2.7MB

MD5
314737216097319564ff29595a64a1ea

SHA1
c78119c55fe61d784ca06b2b0f59d6793397eabb

SHA256
300778aa826151b860ef9e3242992b0ea61c2922b535a06cfb5e1fe1ebe39afd

SHA512
36807d25e835e739b5c7a385221871704f0e8fda16b4af9e3c905ba69ac771b2da1b6ba900f60f3e9dd16d3256324b145082ca453dcda51f9b318cb432fb6920

Download Submit