24055ed055019fb81306b5260769691f19d2d0340e029e77e388dcd8d3f77f75

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
Size

4.1MB
MD5

24876f1b307c9e4e93fb00261edec930
SHA1

4fd0ad906e3e6ce27f83b1196b582e0b86669a54
SHA256

24055ed055019fb81306b5260769691f19d2d0340e029e77e388dcd8d3f77f75
SHA512

0f838e1f5ba7849a9199bbac698bfc94260cffec4e760fcef38fc1f54731604c35be7dffddcfb0511f001975f55da9445f663919a06839c66f7080fbe5a0e59b
SSDEEP

98304:+R0pI/IQlUoMPdmpSp/4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmI5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4768	devdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBSU\\dobxloc.exe"	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXR\\devdobsys.exe"	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
4768	devdobsys.exe
4768	devdobsys.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 4768	824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe	90
PID 824 wrote to memory of 4768	824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe	90
PID 824 wrote to memory of 4768	824	24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\24876f1b307c9e4e93fb00261edec930_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824
- C:\FilesXR\devdobsys.exe
  C:\FilesXR\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesXR\devdobsys.exe

Filesize
4.1MB

MD5
9f4e82683f81a23b5c4553f6d5b2234f

SHA1
94940e6cd82a444395269664bdd147f42a251ca2

SHA256
e2d729290e283f54cff1ad9c78f5eb3a36b56c211b476eebc6bc3194d724c94b

SHA512
29d5803c4a5325901b9fb20198281af40c8b3817dd38a6754c57d79a1fa0d4285a4475fd6e8ee668ba46060bd36959b840fb59c1da4b5232f244ac5636f84036

Download Submit
C:\KaVBSU\dobxloc.exe

Filesize
536KB

MD5
1ef85eec0bcb1708f38989093c335078

SHA1
60cbdf546a643c7b5d58546268589ccfaafde957

SHA256
9161407aea48750e0e4bb4d90198948bdf4b968f05000a9842445091430f0690

SHA512
af473d0fd268ede93e704fae71718ade4c33a36c8643de5b02a942ad07bd5e2f79e7ff5259dd78cb60bae6d53f31a335d2944a633a665e4434ee016e0450764a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
8133fd20d081fd5ea2b2424b65e5b4df

SHA1
2343e2d190daf4328ad0e5ed351ed71b93bbf2da

SHA256
d95a31b5cd5f13a44c50c90c1acdc4f02b368c9540d9c80e22aff1320c0dde14

SHA512
309d45179dd63c0c894fc107a5d6aac2ac490c82b2a8d6b71e1362f211e48e3579788375fd715f0f0237071daacf0696edc8057d86a8ca9b52491cb6c891790a

Download Submit