75c80914d27d966e099019addaf7d80f96b01599df70621001ac0075f538a290

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 05:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
Size

4.1MB
MD5

658a66bd6f8d8366b46837eeb7937030
SHA1

57f2aae0ad8ea3d08d31d5bb2ad04a380a28b7dc
SHA256

75c80914d27d966e099019addaf7d80f96b01599df70621001ac0075f538a290
SHA512

17bcc342496a5afd81c56bdd0cdf9ee925b959f28608996600ed6341f47be50f8ff212f5bd8f509a7a0e8e859e228d54a452104743db221463f5666d7555461f
SSDEEP

98304:+R0pI/IQlUoMPdmpSpM4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmP5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2928	devdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ08\\dobdevec.exe"	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv14\\devdobsys.exe"	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
2928	devdobsys.exe
2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2928	2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe	28
PID 2164 wrote to memory of 2928	2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe	28
PID 2164 wrote to memory of 2928	2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe	28
PID 2164 wrote to memory of 2928	2164	658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\658a66bd6f8d8366b46837eeb7937030_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164
- C:\SysDrv14\devdobsys.exe
  C:\SysDrv14\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ08\dobdevec.exe

Filesize
4.1MB

MD5
e6f631b763d0b151b90bbdebb6283714

SHA1
41b8422b30d984e31a3353e3d32472a0a75217fe

SHA256
d54d40efad255bc74dfc63dfc60ca92046e338daf41bc4be18b74576b3487d97

SHA512
e7058d9b17604bdb64f11c61d9e2b56d9a27b2af06f651eb1a3140b1fd8cf4ddeee29535a15a8a9a3d008c1d513c44d6da2a1e09fe474c7b8d6a8f3d54b575ac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
1dbaecf545e31a8cf70fc2f3e0f0ae5d

SHA1
5ffd049cbbb6977b94ed3508e0d0bad30ab5f429

SHA256
9680acfa9a50105440d60dbb9f842b498ed339fc2258e0a19365fbb6b478b8bf

SHA512
b75cbf28bd0ace0e4dc48c3f2f9191ca37965bb28e3720b4bd5c013186b70de5d1f04680a61336d2536c58c33b2aafc12b2e3ad9558567d52eedfaa2d33bddcd

Download Submit
\SysDrv14\devdobsys.exe

Filesize
4.1MB

MD5
bbed1bc8fc1be2c5880769d1190144dc

SHA1
51a8bfd09068f409f4a28709a8a0da30d0a01332

SHA256
3e3eff5762b132f9f39d30f311e9e822df0842bc844afa9cc2f19741d1df8477

SHA512
79c965732ad6682e76f668fb874a6f83978e59de289b406890454e77b5bdc9f3477bd2968fb4b91fe8687740e657aa9ecbd9f71da5355cf42e3cfc24d5e2b094

Download Submit