c2cab7b86d023cbd71d5f1ea3c8d41a785a8431e2d421fa3a0865d6a1c9822b4

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
Size

2.7MB
MD5

0366ab751020bf5f387b8d4c6a5c9fd0
SHA1

84f6b9619266288d3b6e97aa20bfab5d8a5dad27
SHA256

c2cab7b86d023cbd71d5f1ea3c8d41a785a8431e2d421fa3a0865d6a1c9822b4
SHA512

19024722aa7489a96e1989051cc3accbe34e46a44e8f0846f3096562f35b8d9cc6f873a23ead78a8eeb034491b85189fe4c663f1c1c6c2f97afc2020c645da26
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSpU4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1540	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2E\\devdobloc.exe"	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidLJ\\dobxsys.exe"	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
1540	devdobloc.exe
2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1540	2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 1540	2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 1540	2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 1540	2216	0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0366ab751020bf5f387b8d4c6a5c9fd0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Intelproc2E\devdobloc.exe
  C:\Intelproc2E\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
9142de8d519c7db7627178828b091a13

SHA1
acc8b52178bcecafd9ae981c4edbff61697d31a5

SHA256
4c69bec2efa872dba8422d8406cb6cf1ef21efc32400af79ca0a65541c12b54d

SHA512
296cd90546db31d7bdd7096345832eea298bc6e23f70112b10d3de3e7ee33c3fa754db44118148a7da04795b7dce5514e1eef3bb13785d7aa056c520027b23bd

Download Submit
C:\VidLJ\dobxsys.exe

Filesize
2.7MB

MD5
73bc965d1c862e26cd87e5e4c1d971db

SHA1
3178eed6f90acac5f2b12e78dd93ff2330fe86bf

SHA256
2b4659f524f08c3468eb7152f91f4462473ec345d9a7a6cc2abd8475b304b61b

SHA512
39b7fc4521a0f03d879b39ebaab16e8a196debe056a8e2dd4a40b1b3d9ed8d83c03d4b5f500ab165cec45021cdba1041903bf0bc48f56bf72f525d431f0a5bff

Download Submit
\Intelproc2E\devdobloc.exe

Filesize
2.7MB

MD5
9eed66e2c5249e40abcf0149af92f5ff

SHA1
49de4b1e337460011b928d623c0265bd832e6035

SHA256
367678aa6323a5da2efe2418fc7d8f73511abdc29ab7e8a5cd86d547367dd844

SHA512
3ebd1d5fc6e35e8d142bfeab70bd29a31d88e7ff75cd49502c2159aa1bc0f44de6c5dbb7f6f4fcb905308126ee142b9b7f9d93ba1b31ee47298338b0dd507949

Download Submit