76c696ea0e60fc04571004b198b36a2ad6d5dd22fe8bf40110de13863b430ab9

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
Size

2.7MB
MD5

ae977b1ddc2cff1496ef09a2162bf3b0
SHA1

225209ba538a57a610f111de7828baa17d304d67
SHA256

76c696ea0e60fc04571004b198b36a2ad6d5dd22fe8bf40110de13863b430ab9
SHA512

bf5ab3d4862704b81c7de23a590f678ced8ce5c0b0b87509d90958734eb7476460c0c5ed0ecbd2d823cee7a9a04f320af59ead5a1635a9ce5e9bf37ff6cd2755
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Sx:+R0pI/IQlUoMPdmpSp14

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2812	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVF\\devbodsys.exe"	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7I\\bodxec.exe"	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2812	devbodsys.exe
2812	devbodsys.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2812	2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe	88
PID 2792 wrote to memory of 2812	2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe	88
PID 2792 wrote to memory of 2812	2792	ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ae977b1ddc2cff1496ef09a2162bf3b0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\UserDotVF\devbodsys.exe
  C:\UserDotVF\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax7I\bodxec.exe

Filesize
2.7MB

MD5
43765416b89b4cb71362a6d6fe24643a

SHA1
97936a4555da7e6e8803258c881d9bb587bb11f6

SHA256
d0bce4392261bc3e1ca9adfd3861b8edd94b67b0c5b5bf299cff22023a70bf10

SHA512
5fa3e046b8e13098100a6fef2bcf1b72e5775e05c7ec0844bb30c750e7672a83618f0b091454e263d774e92e4320013d6bb6b8bd9f3d75f5e10383119c759994

Download Submit
C:\UserDotVF\devbodsys.exe

Filesize
2.7MB

MD5
c1a0e195a22c3f6eedb5768a7395bddf

SHA1
e2a090f80733e850c1d058356f2c15af4abe0fd7

SHA256
e30a21bc44b1e1a75aa3c480b180740c5f4b8579a9122d21ed354d12c17289a5

SHA512
49e761e8d837eb971263f922e4f3b576eb37f8091b8ce755fb6974ee24881127d5255e35da5d5b969b5b900e85e7d63249785d971972c850ac7ea4d8bc667309

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
c87034fcd3e073b5c5c866d9137e3437

SHA1
c6fabb4ba9f2796c8cc5bd9ca2d55679381d6953

SHA256
4ca2df485321bc8d6ae961066e8f6539b82e37d000340697b19dee35b3afe247

SHA512
60ca47e21e957d02e42b3645158ce55f9785e25ff8336bd3604f839da0e07d90dba0c76230c94b90ce6799c23fe73cd9f7200514db60aeec1ead8d5158310fe2

Download Submit