00cf44bcf36e324dbfb7e7276ce293410ecf564ac2de831f1b69f35f923e3f21

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
Size

2.7MB
MD5

5b698efcca1371892c3f3d0ba4a03cf0
SHA1

043e52c7343cd63cfbc617226166f59b233f5d45
SHA256

00cf44bcf36e324dbfb7e7276ce293410ecf564ac2de831f1b69f35f923e3f21
SHA512

a233b29eef232658d2590664bbd1e33f89f0d8cd52d2cea41987f4649eeb0e5c6c28519dc7c02abeaeacf8c53f7a2932b6db6aee789e7a6dda28806563cc37ae
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpa4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3288	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1L\\devbodsys.exe"	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxWQ\\dobxsys.exe"	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
3288	devbodsys.exe
3288	devbodsys.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 3288	2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe	89
PID 2492 wrote to memory of 3288	2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe	89
PID 2492 wrote to memory of 3288	2492	5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5b698efcca1371892c3f3d0ba4a03cf0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492
- C:\SysDrv1L\devbodsys.exe
  C:\SysDrv1L\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxWQ\dobxsys.exe

Filesize
2.7MB

MD5
57e295edd4b8c11eb334489b44b43b81

SHA1
8d65f13fd93ce9c6784885cd91212fc16769c258

SHA256
b43f507854199e8364d34ad9767030a061cc126097c3629f0a0aa5ed5c949d32

SHA512
982ae5956ee5594cae1a2e32297d8e84b5e0e38b42f23723c5755ef1b8eda2cfcf7446cedc1c96d97d013be60affd63f54b3cbb35fb67ad41866a861253a1bc8

Download Submit
C:\SysDrv1L\devbodsys.exe

Filesize
2.7MB

MD5
d09b777b8e9b05c11c9a2e9ffd9fdf8a

SHA1
41d2aaf6fc3c3d758e6ba8a065d1c1652ce68496

SHA256
e889804ea06c90168fde271b11b4f65ff448f5270e6d34f599f58fdea770f039

SHA512
51abd98e1ab023695699d548b922cfe3631952511e4d11297c57463b50604dc88b76f7cfb01ce17755c1e298f9aab442cccc552375d1b477e7305db2f29b1b8d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
278989df1ed33a27d4f3a0ef566b9895

SHA1
1aa610c8e25ce58d0bd1063ae74762664f6178fd

SHA256
870a1844bf398e1fc3b03e9a9f80dacc8c67c485ac78c6f9ea4416ffbb43020b

SHA512
7a576401ab2f5459145279c7594606cf409cda89aa634ec2865a643d8cc67cd950f9f42a5e5967546b6505cbea1b2e068069342ba10535647082cba793d17dcb

Download Submit