80ce191de18768c67b10206cac806c77d0c972660e1f5c4c6903b4446f00e69a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
Size

2.7MB
MD5

6c07d4c91e78b5cffc5ed0efce443ef0
SHA1

16f35717836c3b72314f7cadccf057b4be130a59
SHA256

80ce191de18768c67b10206cac806c77d0c972660e1f5c4c6903b4446f00e69a
SHA512

55065708784c4f3ca7e9baff5cae537d510b2d189d0b282aa55854fadb2401f8e2e293474df65a55203da74f44e0e9496cb0d038470fc594227aea9809093339
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBd9w4Sx:+R0pI/IQlUoMPdmpSp94

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4704	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesST\\devdobloc.exe"	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHA\\boddevsys.exe"	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
4704	devdobloc.exe
4704	devdobloc.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4704	2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe	87
PID 2924 wrote to memory of 4704	2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe	87
PID 2924 wrote to memory of 4704	2924	6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c07d4c91e78b5cffc5ed0efce443ef0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924
- C:\FilesST\devdobloc.exe
  C:\FilesST\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesST\devdobloc.exe

Filesize
2.7MB

MD5
3801c67cdb8ba377c862f821bb8c5533

SHA1
5ed2114abe771a38309da4cd6ecfc3eb76a6462a

SHA256
1481aa78629de57cb357328a5cf8d170b8f1a68d8971c72a2000b18031e33691

SHA512
308647b3afb7363e89e7a94edd69045a408faf13b72927a20788ed03e1c56732961443d7602ec35d4af5fdc26aa96e71530b022d271df38654c8734f093b786a

Download Submit
C:\KaVBHA\boddevsys.exe

Filesize
2.7MB

MD5
58d6675b4efdead73ef888b90ef28d26

SHA1
1dcc4fde45e13daf143518c2431859e3ad9fe618

SHA256
300174612a30ca3173cfdc6bedbf11472f99f9696eaad203e46db60c3b9b55df

SHA512
c769417775731764e7ef5a4bd3764aa88a13f7d59b78b38a4a89ad475c1a450cd2c7ba05db31eca9385940d722fa8b23a19a3e8ebd7067a73a4a9b6450c1bc78

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
a0151d2626d6a9fe646e2b1332d2594c

SHA1
a9ab520496fee55e59fb6d3a5fe717d9477f1b5f

SHA256
54ed99be5b66e29be833a3d7577a3961d0f17a44a5c33c1a3c352fd25a64333b

SHA512
6a4230a5c1500963ee8bc639b74648fdfc17d80ed2c80f6828e66bb82841c06c33cc0e0a1a9f0ecd6abb1f8e7f953dfa30c9f00f38f3123ee82b5031ccf741a7

Download Submit