cd3a2bc027a4a9643b15aeec8aab3cd8cdf001b7302488c83a71a4306f30f551

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
Size

2.7MB
MD5

3cb4573e110703e8e0df0680f274bb20
SHA1

0092f2fabaf7b295a72eb27ce14b0516231cf1ea
SHA256

cd3a2bc027a4a9643b15aeec8aab3cd8cdf001b7302488c83a71a4306f30f551
SHA512

01f81d1b1d855584e339efa6f3cc49af9b6ec706214190732bdd15a2b94f82be9581cb1ee147b9839af68504e21e3a3755a76027c17bb85bd749530e601e81c7
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSpw4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1832	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPJ\\devoptiec.exe"	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4I\\bodxloc.exe"	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
1832	devoptiec.exe
2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1832	2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 1832	2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 1832	2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 1832	2200	3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3cb4573e110703e8e0df0680f274bb20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\UserDotPJ\devoptiec.exe
  C:\UserDotPJ\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax4I\bodxloc.exe

Filesize
2.7MB

MD5
9beb769877ee39e6f6b2cb007838a8e5

SHA1
eca3c6904488bb57a2d312d00a93c6ccc7bab9ff

SHA256
30b6f6fbba32e9b937ab1d4702c5600cb4d091bef790b33fe29c29423f0a9f2a

SHA512
12faad76c1101ce69ace01d992ec45bfda72c51d3fe33847d532c9a68c180e106e9b86bddc55c205921d09e25c175a28f3f7d0aa38719cf3ef322eb0f38f4c24

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
893afa276babefca59de862428a1cbca

SHA1
50e5a429774c4a460be9c14d86eb39dc26ce2ad1

SHA256
758f59d35371d6a4fdb883b10d17a3b8cab1ba02c966277df3b931a7dbacf836

SHA512
46622f6c4787dbd4b00433c5153bc0596765c69e0be063c76ac1a9a3bdb162660c3c7c9996e1f77889442ea479c64320e010db355e76436b6f3e2cde74b600ad

Download Submit
\UserDotPJ\devoptiec.exe

Filesize
2.7MB

MD5
8143d748b58c452fc41d01e6945e2e28

SHA1
9bd6649423dc757e66132091871d8e10d78094d4

SHA256
92d57f7381f55fdef1c7dd48dcf41b49be6221438cb1ecbeefe07538d0f3e3c7

SHA512
17c8238f1b2d1cd141409a145476d6c8009558f6c03b8d25029e3036a86884aa4f45b63894a8b062eb1ed5f656c5012d95188eea124eb25fb8883db4551f1277

Download Submit