22af9fc1abdd34c1ea0ff13ec9b24e99a29dd83eabd14ff8fc4613c959f46f21

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 22:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
Size

2.7MB
MD5

04dbb8d736499b2a614ac484181968e0
SHA1

1d1d33196f7bca07c6d57081aa8da263486d3b0e
SHA256

22af9fc1abdd34c1ea0ff13ec9b24e99a29dd83eabd14ff8fc4613c959f46f21
SHA512

478f044d935f87ed653b229df37e9db91a71f4b2d01d1466954f9cfa6817dc24dffa121fcdfca4998234d19fc4a8f34da0879d58ebabe566db7e9b25450878b3
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBC9w4Sx:+R0pI/IQlUoMPdmpSpg4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3688	devoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBW\\devoptiloc.exe"	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZO9\\dobdevsys.exe"	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3688	devoptiloc.exe
3688	devoptiloc.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 3688	3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe	89
PID 3752 wrote to memory of 3688	3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe	89
PID 3752 wrote to memory of 3688	3752	04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04dbb8d736499b2a614ac484181968e0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3752
- C:\SysDrvBW\devoptiloc.exe
  C:\SysDrvBW\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZO9\dobdevsys.exe

Filesize
519KB

MD5
ae7be68787d2017e58e8dcf9f6ed6ad0

SHA1
e24d8aa07ef219dcd15a3899e48481652693cf3d

SHA256
5eb1bb89362ed60092fc131f46112a20d33d29aa39caa078282df64c3efb05ac

SHA512
5afdb6027bf7e0c1a8fd9686ecc820a425a98950421fc91f04556a8e50548efda0616e3c670a7a97a518fd708fbab584aacf513f4cc38abf84756f8261e4f306

Download Submit
C:\SysDrvBW\devoptiloc.exe

Filesize
2.7MB

MD5
691a99de29dc6c7dd8b08b33c35bcc0c

SHA1
5c9988e7d4e3c8cb369b0c6e3a232a386fc43a25

SHA256
75b4c49a6917c2ebbca47839abc232f6ca16cbd35c53dba0a726284233d7efd9

SHA512
c287e3ac4d739f08c22d174f8df5e329814f13cea8cb12ef792f06984605b84bb5098ca87e48cecb1bf96c2b0b880ff1ba5a9dd9b3a59ace89360f573f2db9d9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
c00b46a71d379538935f2ce1d12ae353

SHA1
e26a9ec308257c7add3c9fc51d5d745852134bf6

SHA256
a64ed5e6b0936876af1e15ab7809ded3a1fd918739fab91cb2057889cb59ecc6

SHA512
2201ee430d7284876f916b45ebdd8013404ce6dbc3b4582de79d4f3b75d1bb0549d6014def253bd666c6c3b647a710f2bef1ef4cddbecd012f437c35bba625c9

Download Submit