ef239bcf65c1d9dbd161b29258dd0e199a0c7b0e69391e58d34c9d53e20f4653

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 16:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
Size

4.1MB
MD5

e501c569136c26be41c69e6f059abc20
SHA1

8f1e0b52f4676326c829aa20e745f217a94b11e2
SHA256

ef239bcf65c1d9dbd161b29258dd0e199a0c7b0e69391e58d34c9d53e20f4653
SHA512

ed1e08cdb39faa0dd0f54e8e0ab68862b93e621db129750c7ad0a7f09eda33a5606953cf5b5e9f8fea84aa4b2ee6c057d4d213fba9e7abf93e9b4410c592e350
SSDEEP

98304:+R0pI/IQlUoMPdmpSpz4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmI5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
516	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot3B\\devoptisys.exe"	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3M\\boddevec.exe"	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
516	devoptisys.exe
516	devoptisys.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 516	2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe	91
PID 2620 wrote to memory of 516	2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe	91
PID 2620 wrote to memory of 516	2620	e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e501c569136c26be41c69e6f059abc20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620
- C:\UserDot3B\devoptisys.exe
  C:\UserDot3B\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot3B\devoptisys.exe

Filesize
4.1MB

MD5
36ef296f121e514617aaebbf0336f77a

SHA1
a6f3f13d7eb201163cd61129b9863d924563e927

SHA256
a0d2445543545e6ba3bc909ab4a1bf6d61d734762bed0668c15c75ed14877035

SHA512
d83a86da11f84892dc7ff34b60249da437ae97234f5c5cf7d2a03bfa71d7b73bca708857207c16a0d3141b1c69ed4b5effb4c60e748566ec0f25139b87ce0015

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
8fac90ef48bd49dfeee0b027d2a2612f

SHA1
69d6ca32789569b4980533ec8cfa1ba6a7280bc4

SHA256
2ca3f4d0e0374692a87e9a22bee8394d55d9170ab4653c26d434ac3dfe21a0f4

SHA512
0a2d329b659f5266906da243c7627fdb2f5789cea15a1368a12c5fc0d0c8ea6a2fa5be92e3c9496ded986a9d47d8dd54c134a84547f4a221e8f9a404a03ea8e1

Download Submit
C:\Vid3M\boddevec.exe

Filesize
4.1MB

MD5
b4a980e386a2fe0ad0874c47a541c4dd

SHA1
593e638486eeae0d278364e909527c0b0a46191b

SHA256
9d119b643b4b1ca3b7f0602258836c6425d7af508f0db59fb235cf34221b492a

SHA512
b360b45e047011385108af9e81849a7087224d15abc887bbcb1a3d27fc1829c61c2d38990fbb2af01be28e4afcb3150e317fd1e39edbc6e18b87db266d7f2ad0

Download Submit