a3226c6d6ac2de92eedc5d7c3cfa939bc90af6f67c4ad483f31b1baf6af4c9a9

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
Size

4.1MB
MD5

c676deae4e003978a0a771cce2b0a370
SHA1

ebee67a72a9792108c71a89c7eac643721c4b553
SHA256

a3226c6d6ac2de92eedc5d7c3cfa939bc90af6f67c4ad483f31b1baf6af4c9a9
SHA512

fe4df2191bf8c7e5bbdd363794cc112e6d667ce00ad0f4619c46851e87751d8a085e7db17da97a98b99b9fbd2db3b27dcb61be9ddea560c73435c06e6f3398d9
SSDEEP

98304:+R0pI/IQlUoMPdmpSp54ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmK5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5068	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHP\\devbodec.exe"	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5B\\dobdevec.exe"	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
5068	devbodec.exe
5068	devbodec.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 5068	3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe	89
PID 3916 wrote to memory of 5068	3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe	89
PID 3916 wrote to memory of 5068	3916	c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c676deae4e003978a0a771cce2b0a370_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916
- C:\AdobeHP\devbodec.exe
  C:\AdobeHP\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeHP\devbodec.exe

Filesize
4.1MB

MD5
035a3c11bf793be339ac09702802351d

SHA1
ee4e67c418dd740d1b189b551acea4a1fbc35a6e

SHA256
712a90b5c7dfc5c03bd821f3bc0aa759b652d77c51c24c439c3e94b61b262b3e

SHA512
b5641eb3fabf8ba85553db7513c16a1230cf7e8172ac000682969ec317a4a3957f769c2f7ecf4babff02d3b6140e0b418cf1b106449fd052f862ea4678006a65

Download Submit
C:\Mint5B\dobdevec.exe

Filesize
4.1MB

MD5
bd12f6fd17d43172916f923629c54fc3

SHA1
efe6c609abbe6a6bceefe1efb1185f7ce129fb4e

SHA256
7e2f9c69ae58937850e443944b14c91ddd0af17c9d3119989abeaa2e7bbbb6e6

SHA512
d6a7b1988f8eb5411ea2322b7fd684cac31a5b4eeb751afe971b23c3926c5f5b752fcdf68444fd61a93546a504e98a9130e1bd125a25cbfc6b026b7893375a89

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
f3a437977e894b9d5c8e4e7fd88883c8

SHA1
38dabc6395ede0c1c664617bf52a2e654eec68ff

SHA256
62ed84e346a289d17bb6e5f88fa5b39859a4683ae2dc7f60f32101c86858cc8b

SHA512
d256d2ba5a52ac058ff13382fe2545ea2eb946aab3ab38a9ef3e75710e6a08d389fcec85ad4d1c5b4d4d05ad773b0be4294836e9a59d6e23f9ac99d37fb4666c

Download Submit