0b6e60419ad514ad8c3067f18c9d5bc16454d009717197a74e964605a023ba83

Analysis

max time kernel
149s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
Size

4.1MB
MD5

8004fb5e66723789dd4dee753a6ee160
SHA1

5b0960a11ee60d02465b1d4e5402f6594b569496
SHA256

0b6e60419ad514ad8c3067f18c9d5bc16454d009717197a74e964605a023ba83
SHA512

c574fd3ec7eca5fec2de2f2dd1ae20d0fb7ba69710fc270ab5cdcf9b6a48450d73db147026c11d4f49243fcf91c8e4f3b443cf0d460a0f1e17f77c259b971fa3
SSDEEP

98304:+R0pI/IQlUoMPdmpSpR4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmO5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3600	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVS\\devoptisys.exe"	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxUZ\\dobxloc.exe"	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
3600	devoptisys.exe
3600	devoptisys.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 3600	1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe	86
PID 1828 wrote to memory of 3600	1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe	86
PID 1828 wrote to memory of 3600	1828	8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8004fb5e66723789dd4dee753a6ee160_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828
- C:\FilesVS\devoptisys.exe
  C:\FilesVS\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesVS\devoptisys.exe

Filesize
4.1MB

MD5
f1d56a90db0d302bc2155de78842bd11

SHA1
e5e0c712d0916f8d15ae85e277a919b32699cb25

SHA256
d605865082b6d7921615463b25cfdf7f01d3e831cbc43f3d42844b419f91f4f0

SHA512
8162bb774f225a42b797926d082c0e4f7da115aa789af4da4f29df9d59b292cdafd25737baadf38be055bb1d5ca87b775a337171e451e41fe24a33066a6db720

Download Submit
C:\GalaxUZ\dobxloc.exe

Filesize
4.1MB

MD5
dba0ca78bc58e29a84d4084bfcd72d5b

SHA1
02ce9e725fb01efda885f5f48bc57991247b9e59

SHA256
c38ec2e7d0fee4c93d9e8f8d83172e5e280d7a60971f2901dd1e4b20d7f20ead

SHA512
cdc86693bdc62f06bee49f820633cd91ac43102df9dd2a3141b66600c14ca93bbcdf620ecb6734ae4e4e01594b35a8e93f2669d2a1b0527e2452f2a5afc2dc75

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
f929f5812bba41038aa9ea50ba13a6ea

SHA1
7220da569cc732d47b5217de7d60371d11ae9aa6

SHA256
dde075ebfd2525f47c20c57d82c0728fa0e71615336e795a47c129571c89aaf0

SHA512
a90421108a001441c2850a8461b233dece7ff35af3bb1295e1a815e898b78a540f09a0500d22fd604abff9cc0357b8e50f545cef8aaedba5880a4bc72cea120d

Download Submit