7db61eedc512dcc3d726a171debf6d14d6feebac562d86ad8a3c634a96452925

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 23:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
Size

2.7MB
MD5

2748d423314876f9cebbadacc1360930
SHA1

c6941c346b8b4cb362b231f073b5763852995d74
SHA256

7db61eedc512dcc3d726a171debf6d14d6feebac562d86ad8a3c634a96452925
SHA512

e37d5d0c3d8bc6512ba80d73403ac2d1e2125120b22f78ac1b39cee2529844f0319a4f01a3156673703fc357750048e6c22893f34925d0eea566c68138397362
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBj9w4Sx:+R0pI/IQlUoMPdmpSpr4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2544	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKT\\devdobloc.exe"	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMQ\\bodxsys.exe"	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
2544	devdobloc.exe
1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2544	1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 2544	1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 2544	1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 2544	1924	2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2748d423314876f9cebbadacc1360930_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924
- C:\FilesKT\devdobloc.exe
  C:\FilesKT\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxMQ\bodxsys.exe

Filesize
2.7MB

MD5
80402fd43322ee8e9505bdca620bc871

SHA1
8d8c033b2851d5c4b81c86b161887fb8a92396c4

SHA256
c95b483308ef508d3b08aa062f57d0e8cd117ce657c8f9ddf646e18f05d70cdc

SHA512
a9bae6e32da9983d31973a7b2f707b7d90c163a4253a3b0c9c32aa9163e0dd547d9521e45e9eb08ef7c57a9243ac2dc4c46de87284e6e1b747f3f3cf8d59ed8e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
a22e1b68cbf5046517f2942c88d47f16

SHA1
ba89435351c6efc1eda9bc91dde1c838d2245047

SHA256
51d4ca167d90c5e42c09e1fa63f5a3ff195f0696a3df81092f0ad3d7b180b5dc

SHA512
9bd62cf201cacbf25f4ec1daebf3892fcf21ff2a33ce066b4b3594f8f958ad7246e1d8fbe08f263b8cefb413eaa36a142a185b478f0e1e3bce511753839527d8

Download Submit
\FilesKT\devdobloc.exe

Filesize
2.7MB

MD5
283df332615705f554337b11bb2a808f

SHA1
8f39a7136c77eb7379dcb64c6e2ce91bc6bd11fe

SHA256
72be4c337d10894e7af3c6443437a17a6452c2c9e361418df28d1ccee79ca044

SHA512
4b84fdb29c6e3378902c8c61ed666793055e69a4cea3ed5d274c90e47c6830393c99b74671017af1129a91e16364a78e1534ebdcb6ba768e81254cf8aff1fa98

Download Submit