5422f8458af2ed11979faaf7350721ebf7522cd079ac481ac32d4b863ff56a3b

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
Size

2.7MB
MD5

15719c925ed1b22cff03d527fbe6a710
SHA1

2f86705150032ec1ff2b5c0555ea9407cbb08d55
SHA256

5422f8458af2ed11979faaf7350721ebf7522cd079ac481ac32d4b863ff56a3b
SHA512

9851318946a1f8387644df437b4ad683314d205c11117a0cd7ee21fb9fb7d5b2ff696a4d2521027ec24dac3c9c2251ed72d15ac12997285ee18740aa648662b1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBG9w4Sx:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2412	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotC9\\devoptisys.exe"	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBMX\\boddevloc.exe"	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
2412	devoptisys.exe
1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2412	1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe	28
PID 1612 wrote to memory of 2412	1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe	28
PID 1612 wrote to memory of 2412	1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe	28
PID 1612 wrote to memory of 2412	1612	15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\15719c925ed1b22cff03d527fbe6a710_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612
- C:\UserDotC9\devoptisys.exe
  C:\UserDotC9\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBMX\boddevloc.exe

Filesize
2.7MB

MD5
90fd0494995f0ebd5407c71a77286d32

SHA1
016529b46517dfbbd1e5bacfd143de0fd9114e8c

SHA256
4f00d523dffcf1daa71cb2d9776338154ef3c98842883d921f463da295a66700

SHA512
02b516ac903a6e1dc78aaa175a49280e62ec753db142fc80161c12798ac2e1bac87e4af5bb1fede0b1744449e9456c01f2ac3c93b789cafa39d527c6d80ef949

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
6791ebee59027ae0a94734928da9d18b

SHA1
52b9b52da625bf80a9c2b2c3224a7fcebcdae8f0

SHA256
705c5dab92fde7b1d5f7da0e0735e5b6ccd0a6783aee386174fc70dfe98a1a87

SHA512
cebbb9139dc65c98f12cf9379bfce4a29f5d2bc056b53d2fdeeac47efccfe570218c0b63a97fc5cca480ec376b633a382a70235a2f0cfc6175e42eec438e1941

Download Submit
\UserDotC9\devoptisys.exe

Filesize
2.7MB

MD5
0306f9f25b16356a8ce4beacf7892a77

SHA1
719fa5a0293283c5e785ff0aed972e6a2bbc6751

SHA256
385124ea8d3bfcb7c3294660b09cc70554d8c49abdd1c06b91718aed43efda5b

SHA512
cd503779272632ffaecdc1c0ef35554ef6344cd1fe44f51a5cfc9799e8dc028bae35b73decd1fc6150648614b6817b126b7dafebbb5209b1e6ff05d428a361af

Download Submit