504818bec2f01dd9d6cf2b70b3c8261f71213e086fe353f4c4ba415ce0e24b36

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
Size

2.7MB
MD5

1484455779f4539a1990e88c931d6d30
SHA1

189a77c19cfc6e0f7d2aefec2e41574411bb3055
SHA256

504818bec2f01dd9d6cf2b70b3c8261f71213e086fe353f4c4ba415ce0e24b36
SHA512

1637ec39b66f8ecdda646d1a637278ff0875f0bd3eb572ed7bbdda2d5323bb2ce7247620e75bf6318f876597d740aecbe506a5e438c225867e9df6bfea6577d5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBg9w4Sx:+R0pI/IQlUoMPdmpSpy4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2680	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocXF\\devbodloc.exe"	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ60\\optidevec.exe"	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2680	devbodloc.exe
2680	devbodloc.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2680	1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe	87
PID 1468 wrote to memory of 2680	1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe	87
PID 1468 wrote to memory of 2680	1468	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468
- C:\IntelprocXF\devbodloc.exe
  C:\IntelprocXF\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocXF\devbodloc.exe

Filesize
2.7MB

MD5
79dbdff07d9b0819b36fc2a71b46b234

SHA1
be83a0af4cfdffa9bb542236146607c10a2da21b

SHA256
8f3f8b6710dac03b1d1502b5cf90e920c1132770f87e1422a0046f2e1407c6f1

SHA512
d43bef4ac500d1ea4346878820ab4cbbdf962ec93d32da3bb73908e90acd67ce91cdf4c5f79a882e915ce9621ed64da43584a97af2fffd57a396f76fee9a99ad

Download Submit
C:\LabZ60\optidevec.exe

Filesize
511KB

MD5
5070f76ea30cb713dc244a0f8e2bdf49

SHA1
3ab911b5fd566489e203e45e66311772d8ab43cc

SHA256
cbb34759db7e0b730c2bb8f30e7ed5670cc5f91a1321baed1ed10d13531eeb9e

SHA512
7b2fbedae54d68888da77a5540783e0669082461588fc4fedd68d161cd76e5ac4612b6a68ce64ee545888a217c1f32609ef21b37df14aa26b07705894585ce5c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
0c0a392c578802cce603169c5657d69d

SHA1
4dbff4287fdeb1bf399e7896f19e7c109dcbac3b

SHA256
c71df23c7edc6d15895d71b7520b18ada29cb5d56cb329e426c8fa02262e9ab4

SHA512
56e1965ea6705c5a06fc738407e14f5eaec68006d04e49da2c2106dbc3dd886532390fd0c2b8f68f4ee3950351bbd3c9efbb42b1f1618451b53cf24518c0b69f

Download Submit