f517c2815d2407b8bd844750fb6581361fef1744e31ff9a616b9f29adea73c49

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
Size

4.1MB
MD5

683bf4ab3f441a427999f3d9f4506830
SHA1

5b0b758768851c460916738ac0e5a1b398a2d9ae
SHA256

f517c2815d2407b8bd844750fb6581361fef1744e31ff9a616b9f29adea73c49
SHA512

418808bf9c49e9645e64b798f065f03d89c17e4ba54e6ceebad9a7a76083336c652bc46a6d80da299775e2c1f0a83f7911803612d667e81247721c93b1c97bea
SSDEEP

98304:+R0pI/IQlUoMPdmpSpY4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmz5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1840	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHM\\devoptisys.exe"	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR6\\dobxloc.exe"	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
1840	devoptisys.exe
2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1840	2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe	28
PID 2176 wrote to memory of 1840	2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe	28
PID 2176 wrote to memory of 1840	2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe	28
PID 2176 wrote to memory of 1840	2176	683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\683bf4ab3f441a427999f3d9f4506830_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176
- C:\AdobeHM\devoptisys.exe
  C:\AdobeHM\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxR6\dobxloc.exe

Filesize
4.1MB

MD5
0c3b5be5e5aee9b7839f033ccb4d6147

SHA1
240e054aa1b459d19061a89b2adad2f53b62f448

SHA256
81e51624eb49994828fcc942b6488fd206862802425aa67752ac9f0db3ee015e

SHA512
0cb195af2901d7aca686b9063e85582be71d49696ce72fb1039b61755a894709b0fa5c451fa7890d628d5462784ad978479d809d57ab3f70f839254a15a87eb6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
212B

MD5
76bc9cf98c30d6effd27dfd0bf01a770

SHA1
c58ec26d20e350b2019c5db251c8b82fb79535a7

SHA256
d6f9c84bd5c3775e70089298984ee8455eb92f4d95cf2bd813fa60daa5c29245

SHA512
681c470cd1692bfdd644410b2d25860e62c18b55139fecc9c422d505fae2fc611c73ac3e00c61803018a39793557df9c3fa35f4f3874b1767139973ffef289bb

Download Submit
\AdobeHM\devoptisys.exe

Filesize
4.1MB

MD5
4ec01fedfcb2124f237a73cf0793407c

SHA1
34814c59ea27f1ccf0936d87ae01fe76d847cc5d

SHA256
0b5c10f9796b1ab6b9c978643830a0bb8ee083ffdfd96470be65209ce47a2f49

SHA512
490b73b98e15dcd19f5a4478f3d7781dfe5af1bf9639433192266cc7ad146a212bfbf0240b6222644fd8add49f44be62785b52f95267f668c45da8fc4d25a55b

Download Submit