c7ac43d488b8fe72e8c52942d4f2789654d986993e7f37098b9c52ebea2871b1

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
Size

2.7MB
MD5

e54913b9696d39022e10efa2608d40a0
SHA1

bffe6984d5a33424e7c7aa80ec5cf2cdf25d7a8b
SHA256

c7ac43d488b8fe72e8c52942d4f2789654d986993e7f37098b9c52ebea2871b1
SHA512

f15e211c2dc2ca12bd0f7f483f088a847be69720eb93c9c901c1f58b9fd9eca54a0f88d2751a7000aeed5630a538c301c7453f970a04fd6b987fafbe323e01af
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBX9w4Sx:+R0pI/IQlUoMPdmpSpz4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3048	devdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHL\\devdobsys.exe"	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCB\\dobxec.exe"	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
3048	devdobsys.exe
2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3048	2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 3048	2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 3048	2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 3048	2180	e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e54913b9696d39022e10efa2608d40a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180
- C:\AdobeHL\devdobsys.exe
  C:\AdobeHL\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxCB\dobxec.exe

Filesize
2.7MB

MD5
cbad065323d8911ef4f1d17b62304c41

SHA1
d5a18cd8f5957ec0f495fc832eafe001aa86e4ee

SHA256
ab7a495f94577aeb8434b0a592e76aa4d3e750c64abc6161219358ffd7a64530

SHA512
a3a23aec5e0617aefbba49885e68b928520abb1fe15a687988ea41c76c09fc81c4cdf97a579ba97309f5afa17c1274c4669c0f130acd96e39ae78bc2a0387815

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
9eb29d95aa79701a14667e72a92aa04b

SHA1
0df31a89ad39e1c53aeba9aaf89129bd473f4775

SHA256
18ff53e55466dbd8976b69c234cec5d734092c16b478f0a89948f7761cb4031b

SHA512
d4da5ef1f9d981cc403a2f63a1c5e6a00785c707e86e7567c427ccf47927f51fdea3c6a65cb13f79212d0d3e4b90fc560a0c0bac3dcf6583a7e3cc95ccc1509d

Download Submit
\AdobeHL\devdobsys.exe

Filesize
2.7MB

MD5
38bb510ae3058f5192804f320fb8e122

SHA1
649d91824b0b5b9abadc68976b6b67be7962a297

SHA256
be642abfc364cb0784f286bcaa4b15287f672a1e1b20ce0efdde852197f05f9f

SHA512
b3f646083a2e39d7943048c20600b48417fca8c5c9f7aeb29e2e47ad8ca25595a8ea6761fce1c65cf3cee0e8e879d546d034d3eceabe93851b6617df250d519b

Download Submit