0977feee4772c9bc896a2d3719f312de7deeeb52a754e6718bf82fe1c0982b4b

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
Size

2.7MB
MD5

00a7ef94eff80ea45b4c6266a89509c0
SHA1

7c07304b14463e26a127ffe1b1361b12f9c094a8
SHA256

0977feee4772c9bc896a2d3719f312de7deeeb52a754e6718bf82fe1c0982b4b
SHA512

ab011cd9f7288b4e2c48727c5ceafb00863e854ab5599f3461b4c5eda48f2ab1db0505231163de78e93c0b0789741d2979123ab2099a8a8f116bf1b33dac9e73
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBE9w4Sx:+R0pI/IQlUoMPdmpSpm4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1736	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesT6\\devoptisys.exe"	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYF\\dobasys.exe"	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
1736	devoptisys.exe
2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1736	2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1736	2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1736	2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1736	2104	00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00a7ef94eff80ea45b4c6266a89509c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104
- C:\FilesT6\devoptisys.exe
  C:\FilesT6\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZYF\dobasys.exe

Filesize
2.7MB

MD5
2901fc60001b7482a01b62ccb82c1211

SHA1
7205916a889154bd0d2bd176779e1a4b5c8c568b

SHA256
ffce857f50e0e2718a26b5ee47d03d38a8f54104939ec7bd773fefd8fd24abcf

SHA512
98f39ea0a937452b9581a69b8ebcf535c1f34ad80731d8887de5d23ffd5c45b09763e7182d25dbef11e38d9b908cbe29d7a30ec9887e756a1b93d7c2b7019c3d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
0f386562e69cd789139c1680246a3118

SHA1
14ec4632527f9c6cc4ef22fe7af514c63ec28e89

SHA256
ac35bc36ef95acd3975a826bd8e47a7afa09b7338e05100a48dbd1029ac45bd0

SHA512
e5446664344e6c35591009723f398562693ab4b5ff6f5b3b45cba3e7a88abd9a03527d02e1a8a58a1657872ac1fef29e7d48207e4a3073534a3bf4b7d43a3b9b

Download Submit
\FilesT6\devoptisys.exe

Filesize
2.7MB

MD5
7b51e89bce50cd1a508b4f3f855878e3

SHA1
f88819cbcace15540d86e67177222712125ef3b8

SHA256
5f25f92185bd62889557ed0c40a012d8f89476ed01ac5a24548a8dfc4331d213

SHA512
f6b3dd8af6225d5a6b0b75f7d295c8393edb3258ba302f10bf63feee2b5283dcbc350486f69493d5bd1966339fad39a60f5c0403eb5a0c7723c5ef5e7238d6b7

Download Submit