3976aa9333b423694d261ed5a71102480ed89c95ab1ff296e96d3d8de4c85cc4

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
Size

2.7MB
MD5

d22967154923851bb41db49ab7c4c580
SHA1

205f208d2fd91b584734191bfd39424425ae954f
SHA256

3976aa9333b423694d261ed5a71102480ed89c95ab1ff296e96d3d8de4c85cc4
SHA512

c8d32552437dc397366f9981cc54b1a0b048a10636368006cc05bcd1d778540495821fcfaa4ea6e316608ff3a0e4dd2be0b16a083e6e7a8b3f5ec0595f40b020
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBW9w4Sx:+R0pI/IQlUoMPdmpSpo4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1320	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYZ\\devbodloc.exe"	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxX4\\bodxec.exe"	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
1320	devbodloc.exe
1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1320	1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 1320	1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 1320	1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 1320	1928	d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d22967154923851bb41db49ab7c4c580_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928
- C:\SysDrvYZ\devbodloc.exe
  C:\SysDrvYZ\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxX4\bodxec.exe

Filesize
2.7MB

MD5
56a2da7440d6e74095f371ce3509e6b3

SHA1
610d817df7fb1f1ba55bc3273cf78da862eef3ef

SHA256
b3eaffcbd2db98303169b0e70d234c64f76e612863c6afba41d4ec041baf24de

SHA512
868070d7a9cf4d4f099140b37b24ae0b39eac94fae4dccdfe070e200524d1ff471928ddd923f0ce8ffb102409aca5a5668e6883f49b3713531f2a60e0d173f1d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
ad7ef8a0a133c3711b5baf0b34b91a1b

SHA1
9c812510ff80cf9613ac7557b04edfff7e0018f4

SHA256
48b67428c9adc7d8399796cb52aadc7f8d77da0cbc55fb82a4a188d6b235f9ea

SHA512
4d20c617661f37dcc182f5a5db4fee3282b354b96a5313f885e8e89e24b3a9120d7307990f40bf6cb9e59aab30345ef590c9b5f113652ccd9a58acc847a35e6b

Download Submit
\SysDrvYZ\devbodloc.exe

Filesize
2.7MB

MD5
626c82be4eaedf72812149f94f46b341

SHA1
fa859d1f8f1e200762a459c247a911e3739c20a5

SHA256
6eb3fe1a5597248cd2775dbbece9d96fe01a044c7abdcb247ce9c65106c3a358

SHA512
958d42138410c87a2e6e8c8195701b49ffef4c363551eee61994273a48eb4f0799bfc22eb9cce43ff1d68cf5e2c49717fd4d6357d8c360c589d7fb2f9a547ad7

Download Submit