02d80cd2e17f540ddd05ccdc8c861d8dd31f18921996f0774bd071b4064cb1f2

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
Size

2.7MB
MD5

8d0daf91a892e9fd759a4faec5910430
SHA1

bd4485b37b5dd01c0a9227ad3a4107f0478576a2
SHA256

02d80cd2e17f540ddd05ccdc8c861d8dd31f18921996f0774bd071b4064cb1f2
SHA512

27c01f04f57bfb0a7853bf4067fdf63e4b78c92ad1a9ac962b8a027a8a5452fee7d13323f5f460413a66deaa020eab2b4476f527a1b4890935794f8fdef93e68
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBB9w4Sx:+R0pI/IQlUoMPdmpSpp4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1980	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKG\\devbodec.exe"	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBQ\\dobaec.exe"	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
1980	devbodec.exe
2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1980	2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 1980	2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 1980	2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe	28
PID 2392 wrote to memory of 1980	2392	8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d0daf91a892e9fd759a4faec5910430_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\SysDrvKG\devbodec.exe
  C:\SysDrvKG\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintBQ\dobaec.exe

Filesize
2.7MB

MD5
5d6193f2cccdb2abb3608f5c99b53053

SHA1
fa71645f6cb2522bc692ee0d04582e0a004497d9

SHA256
a991e2bc0cb0d814033089f7cb83d82128f74ca405119e9a561a7c695c70778f

SHA512
2bb000fd2ab10f9fd802b9e1d63593a5e565dddbef1c25c63a6b91c0f24f115db3a2686e8e1ecacff6481b1c6821c9e009041c6b8537b93fdb949853d3a8f309

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
a4fc25e3db46976e03e693ce29a80172

SHA1
c4f93db66da6e631ea46681cead5bbc7ce20ff31

SHA256
db24c57840f29462955d32b2e3d39f8a6fd95ca281209e97f723732f806b377d

SHA512
0b3fbc5643ea0cd6ebfb5ba77acad9627ba509756ed0d1181aab61eec0ffcb7ae1dbe36d05e8d0a37b1c024cfb86562135704b4e0fda2537758e486882972ca4

Download Submit
\SysDrvKG\devbodec.exe

Filesize
2.7MB

MD5
742a0f7b10dc8c22577158c29d8ef6d5

SHA1
e6ccba3302f75b12ebec06acc46c5a136613a4da

SHA256
71aa82cc8e2099dcabb85c1fdbbb45444f76edf19b251a9bbacfdc750517fda9

SHA512
2c4f9bb5656ddeac590c5c7d2b9a23851c44d881a589e487759fd6477d695307c9a52b7991983b60e256fa581f3e6902e2eedc52d43198387c95918b342e5b57

Download Submit