c9b7499326ad7aab845b5d89d60c988fa17aa9b3c0bd0e1b67e709cc0479a6b5

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
Size

4.1MB
MD5

0de15ce47d006973d19eea7c9fee7c00
SHA1

0e6b5afd4c081507e5b481b94622e6f771a26de8
SHA256

c9b7499326ad7aab845b5d89d60c988fa17aa9b3c0bd0e1b67e709cc0479a6b5
SHA512

bf4338e1f2d32580c4250789880201c5033b31378966980a87e63510045807d1767cf89b9a9bc984ec713d2bd65206ef0d822d1fe61f33fef8888a7362f14b04
SSDEEP

98304:+R0pI/IQlUoMPdmpSpl4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmy5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1732	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAW\\devbodloc.exe"	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQR\\bodaec.exe"	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
1732	devbodloc.exe
1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1732	1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe	28
PID 1288 wrote to memory of 1732	1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe	28
PID 1288 wrote to memory of 1732	1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe	28
PID 1288 wrote to memory of 1732	1288	0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0de15ce47d006973d19eea7c9fee7c00_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288
- C:\AdobeAW\devbodloc.exe
  C:\AdobeAW\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZQR\bodaec.exe

Filesize
4.1MB

MD5
4ff1019059f27707df4a3d093a5c90ed

SHA1
6707387565647ab74301db96b01c2992ee27a9bb

SHA256
a165b8b8b32524ff87a3f0b3378fa9333fafaac1f7e86f89a0423ff473f1abe3

SHA512
8de8f4d7a44dc67d864d88305747f1666b267f682619f30a66c1cd32ee7c6fa429f569d6d9c36abf5ac047060ec6fa9b62efa236b8b0cedfff5addb4a8b22693

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
adb5f9e1b63d5e520e6f5669df181e7a

SHA1
677e16edc884b3a90fbd642f602adea993a6a54c

SHA256
c60f993a10ee85d29aedd4c2a8211950faa84c8c3933d817c53711e0902c1a8c

SHA512
3a5ec6308e5f6bbf960bda64b155ab5e8149f5fcda837a8fd1fb6dc3a3babae24e043bd3ebc6172cdcbbfa8e6c7095bb94e3a8f3b2bda095b75c633ebb9318e7

Download Submit
\AdobeAW\devbodloc.exe

Filesize
4.1MB

MD5
20961dee5c792bd1af2962dff980a546

SHA1
7fa5671b04f4fd1280f9bfe92e85b7e816835901

SHA256
1ae4fe451ba70b3fe96fcbf731e3cf3c4a69f0caba80d92e7a719ecac29fe194

SHA512
69d7e8f890edcef59ecda9eeaf3d201bbbccf97d51d18e7156356411a7f8581d5b8afd262b5c49db0ce0db7f56853f550221d0340df42e9ae1643362e53f0ece

Download Submit