caa69559bf37baede128905d33eccedc7c8d422f66641ccc13e6b83f3e724ec4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
Size

2.7MB
MD5

2ce23d5219780a2c39a9abb99f948bb0
SHA1

9ce9a6195283149a5a6bc6b4cbc6a094062bb206
SHA256

caa69559bf37baede128905d33eccedc7c8d422f66641ccc13e6b83f3e724ec4
SHA512

ef7eb656d7ec4bad6d17c25c735d086922c52d048dee419814d38ecd6253dc838d763cc92513868fba682f58dd36a3637eaab65b8afbebc88a33db0fd6b2c75b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBC9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2232	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocE7\\devdobloc.exe"	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHD\\dobxec.exe"	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
2232	devdobloc.exe
2232	devdobloc.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2232	5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe	88
PID 5064 wrote to memory of 2232	5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe	88
PID 5064 wrote to memory of 2232	5064	2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ce23d5219780a2c39a9abb99f948bb0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5064
- C:\IntelprocE7\devdobloc.exe
  C:\IntelprocE7\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocE7\devdobloc.exe

Filesize
2.7MB

MD5
9dcb744fb4a48e6e6ced072e66255806

SHA1
8d83b1536040025c0650cab34502c7c444b5f2ec

SHA256
0bda2762dc402b69f37329006651bf8c09b799c2d5406cff107421a8c3cadaf4

SHA512
1612fe6a0eb81f400de05ae6c0816d6e08172229e186a960626a83083f50c43322a42c42a91aace73a0a19970ccb9af8727ac9946c4213e554caea111404e73a

Download Submit
C:\KaVBHD\dobxec.exe

Filesize
1.4MB

MD5
99ae141e6d13465a8e1dde94223977a0

SHA1
b5b147f77f36791b04ea65b35fc5b9c6e36f0c38

SHA256
88e9ec2643feb20f93b820ddce91b1deb6258206eab88c8ad0e52c4da65a44a3

SHA512
d7571f1704f6682e961500e442849e55b900ba5ceec2c4289b882ca05769537a8a9eaede8929faf2a5835f0755f6478f2eb7a5f1728058bf0b2ea580a8f1cfbc

Download Submit
C:\KaVBHD\dobxec.exe

Filesize
2.7MB

MD5
daef34cdcfc3ea935b86db0ce836c69b

SHA1
17b2798146b2ff9f6dc70748a1bc1e52e63bf377

SHA256
1070429811e445cd12f82913479e7592909ee2027fc7a742d9c8c4de2cb8e210

SHA512
bad7c735df1439f120fe186ea75f44cf1ad03e63b24891c7396bd9bde1255b257c8ecf55aa0837af1e050cb9825ac030915bfb1b11933523ebc20bc2504d408e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
660590cabcb8d3315105f4ff11e7119c

SHA1
13534e1a0f4409ca663ba34bcb03a4e962d1743b

SHA256
b8985cf971a4c54d041ad69f769cd81bfd4630cd536368bf11278d3bd22e4c23

SHA512
77dae471feb1b078a95b78e8a6780ceb5872153e40d38cb0149e003a9db56f7762744ed03c15eaf88cee49604819797f1f6980b64a9e599f03dc9c33326cecb6

Download Submit