86da2dec65cc6b2343e8480931962ac7625d792f1219171da7409ca194090fc7

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
Size

2.7MB
MD5

1e982fefda894ab5c25fbe278e7dd1a0
SHA1

0e258baa4c083ba09b06c4f5ab0bbb7042a3fe20
SHA256

86da2dec65cc6b2343e8480931962ac7625d792f1219171da7409ca194090fc7
SHA512

30b530b77fded13abcda51f0f69a891dee0046871f9b4757b53146081cc9bdde5bdf8ac43308c53243651800bed46e17e3e4b8b47edb17a8c6897edf6c156ee5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB+9w4Sx:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeJK\\devdobloc.exe"	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOX\\bodaloc.exe"	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
2904	devdobloc.exe
2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2904	2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe	28
PID 2284 wrote to memory of 2904	2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe	28
PID 2284 wrote to memory of 2904	2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe	28
PID 2284 wrote to memory of 2904	2284	1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e982fefda894ab5c25fbe278e7dd1a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284
- C:\AdobeJK\devdobloc.exe
  C:\AdobeJK\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeJK\devdobloc.exe

Filesize
2.7MB

MD5
63460b0d76ace3a3d452774996518f07

SHA1
02f49f5a44398257993505b95faf005141c892c4

SHA256
4bde741bb86e4ceb49cd48bc4038c3173654b66a5930de00071cb343fca89f95

SHA512
37eb877d04067f18ec226148b6eefbf4dd9e74141d84f11204012c75139017536346cc06270dee4896c7a1d0a775a4c4dbd7af6c330972418a2b71e8df349c59

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
2d2b79e0afdd1e992fc4786bc0b43c89

SHA1
f4da6608b5b6fd53d8cf2080ed82d4ebcf94ace1

SHA256
7d233338186b79b29a1a37ec9d520f1816fbb7b308aad67ef86c341ff51545a3

SHA512
cd4495c30d71415714178cb1364d6d2686db04ee2deeeb64987c6d9b6c71c7655982cd62a99aca2f160a0e26c3a360c5d284be23ceb303c5ed083220b8966798

Download Submit
C:\VidOX\bodaloc.exe

Filesize
2.7MB

MD5
8a9f1fa8a9d4b346a2d698d720be55a3

SHA1
28966bec743782863e0fe50bbcc3a35b72f6fd05

SHA256
22ed700586807d200c9824f9d8ce8a958a8551cea0f457daf12e50565df54906

SHA512
70c35a74eab0802c46e408fa6be08568ed75346c938615631d55c39dc8e8208f9ad2913044a0c3faac7a6be05850bcbe922e2055682c7c7b479e9af9f778c62c

Download Submit