cf5abe826ef2c3d19c704396b36867ee29dfce4fa8f8c77ba23705afcae1e034

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
Size

2.7MB
MD5

19a7920edca4b7ca252e6ff573ee4f50
SHA1

691dc0aea9a56067dfaf21e1e034aaa78cf78619
SHA256

cf5abe826ef2c3d19c704396b36867ee29dfce4fa8f8c77ba23705afcae1e034
SHA512

994476038b70229652aef8ed26b19cad425d8524e5a18d422a98b8c2e4ee6720b7f48db7b656e4d56e3b02e118f0643118f62d7ea1a664e9dada807c81db9991
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSpu4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
908	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotC1\\devbodloc.exe"	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFT\\boddevec.exe"	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
908	devbodloc.exe
908	devbodloc.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 908	2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe	90
PID 2744 wrote to memory of 908	2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe	90
PID 2744 wrote to memory of 908	2744	19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19a7920edca4b7ca252e6ff573ee4f50_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744
- C:\UserDotC1\devbodloc.exe
  C:\UserDotC1\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBFT\boddevec.exe

Filesize
2.7MB

MD5
5a54dc72393a592109995b7cef196e91

SHA1
344b28b36a224a41a8bdb32690b87b325016ec37

SHA256
31d10430e2041d7f0b6e1b34cd905d1cc448d4a0b2b84772eb70659f6a2839a7

SHA512
a62aff78354531104bf16f1b508dfd1b8c8334c4a64c8103cd24175bd27cbdb4add75d9b26d8ce9756dcb50e587989e1dce833307b58bb1112d4b034e3e48d33

Download Submit
C:\UserDotC1\devbodloc.exe

Filesize
2.7MB

MD5
1d286451a0da7006b2b749862b8e7a9a

SHA1
35d36516df80493a5cc8ceb838815d8d4fe50e20

SHA256
ea1bddd49ca220f4ff4bbfd3a8f63ebc49394fd49d7265dec28611eee37d8ec5

SHA512
2cbfc73a954fd3022e10e28a43ec3c8cb732f9c3dfe2fdbd4ea8a7448feb259b8b7a8e6c1342e85249d9509e8e5856efa392ad1b719d39346200d4cb0c9e85f2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
cb85ebbd71c111c217a20ce908893622

SHA1
aca244e1ec910df013f6f7743c8a6343ed0c5e75

SHA256
90dfb1d6d63d06a82abbed42eff6f4bbbbae157e898bfd47d3c1006d7ff1e7bc

SHA512
650b39e916899a020cf9aeaa992e4d22084a01d0e477b38a9df2f63e67a1f5ac1fc5115d62b532c7cbaeefbd61a295ac000fb35cf6051b9724d4f9d86403e91d

Download Submit