cf5abe826ef2c3d19c704396b36867ee29dfce4fa8f8c77ba23705afcae1e034

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
Size

2.7MB
MD5

19a7920edca4b7ca252e6ff573ee4f50
SHA1

691dc0aea9a56067dfaf21e1e034aaa78cf78619
SHA256

cf5abe826ef2c3d19c704396b36867ee29dfce4fa8f8c77ba23705afcae1e034
SHA512

994476038b70229652aef8ed26b19cad425d8524e5a18d422a98b8c2e4ee6720b7f48db7b656e4d56e3b02e118f0643118f62d7ea1a664e9dada807c81db9991
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSpu4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3K\\devoptisys.exe"	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7P\\dobxsys.exe"	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2632	devoptisys.exe
2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2632	2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe	28
PID 2108 wrote to memory of 2632	2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe	28
PID 2108 wrote to memory of 2632	2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe	28
PID 2108 wrote to memory of 2632	2108	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Files3K\devoptisys.exe
  C:\Files3K\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint7P\dobxsys.exe

Filesize
2.7MB

MD5
846c2d1860325849318684e6e0ef618f

SHA1
e9ba960089d1eb53ce96e8dd98ba517581e746c3

SHA256
87c136c6a885fd9472b4f7ef2b25181eb41ae5bc3c988e00f19bbb480d6ee878

SHA512
b5ffa124b9c7485f5d5d386c92205e4f67dfd35d5e21270ccfd0edf3bc7d3ec8bf4cb6e602b14e1352ff67d3be6d99a10c12b5a9564a5e42dc9df133c1465ed5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
1e1d020f681abc5eb62fbdba0d0ffb27

SHA1
02fad4caeb8c9d24147728d1c5f2c785986f5eae

SHA256
00276253951120db48d8083bd63129b19f819f8605ec17dc14f35aafe26c8022

SHA512
fe6c323873ace7a6e172b7b2f4761939ef956e38d9bdadd9f1c6fd759e1c8c7a8b4b73e1691b765f96ed527a8f4b3329dab88b62bfca3748ac5ba56705d07db7

Download Submit
\Files3K\devoptisys.exe

Filesize
2.7MB

MD5
f6d2ccb7a5677ac32e5f89caf3490b2d

SHA1
627d10df43b951b865eb1fdd22b3742a421df42f

SHA256
859d7b8af6d0b410b90e32f787cd7fe58fdcdb4ae90d06b23350171fabab79ed

SHA512
31160e4fbbe86f116a140b815a96c5d04c11e43fc3b1f667b4f3c08ee28b4f55ec5f19b7f1a1eeb746055779b1808dcb75b1ec837e549dd8b36946af69e26351

Download Submit