fbd868157941e2ce4c599b945026939277ff9256dd97ac338e93cbdd1e8f60fe

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
Size

2.7MB
MD5

7c05815a425d8a45808e809f24d8ffd0
SHA1

0be144ae6b8855a42516d132fb5ae2ce0f446fba
SHA256

fbd868157941e2ce4c599b945026939277ff9256dd97ac338e93cbdd1e8f60fe
SHA512

c1ad7b85bcf8dc96ab6fba7653e6951328207ec537afc7a82ed0a0a01308cf282476653d363efcfc3bc1b67a22666dc88b3861e1ffe2d4af69c3b4b71ded7afc
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBe9w4Sx:+R0pI/IQlUoMPdmpSp04

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1740	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot5R\\devbodloc.exe"	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBI\\dobdevloc.exe"	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
1740	devbodloc.exe
2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1740	2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe	28
PID 2072 wrote to memory of 1740	2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe	28
PID 2072 wrote to memory of 1740	2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe	28
PID 2072 wrote to memory of 1740	2072	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072
- C:\UserDot5R\devbodloc.exe
  C:\UserDot5R\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxBI\dobdevloc.exe

Filesize
21KB

MD5
85ac8e8d98995fc09cc8e14b9d872d90

SHA1
adaa24efc93ffdc30c0f3eddaed74ed35e28744b

SHA256
4147383c7efa7821c6cfc8b7a765239587b96326516b35b8a29b5759d56b432d

SHA512
71b1aead94e4cf1bea92e76c1e652cc34c48ae4aa8a1a8f508276c2025ed5821c7ac8d66d8f165cd451ed36fcf9d03a044f936e5ad0acf3d006044ed8f1b1f3f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
698bbbb66d93ddee97224ee238d87b31

SHA1
89c360e7a98ce9d1c07515d5a24e3d662eefa502

SHA256
86c110e4b6668ae7db961c842ca029c460a54fd012d85e9f1e723919382f35b1

SHA512
b1eff7c750c434258cd4d532e5ab099bfc7984fb42f9e7a08e1ab1cca93c3a992ab5ece9d782807871c1e9aadb7fb4bd03310b07a4a90f105be6b4e57a81d73a

Download Submit
\UserDot5R\devbodloc.exe

Filesize
2.7MB

MD5
eb0f4e58617f6e5af01fd42c32018b3b

SHA1
b24da025da7d088107cf460f38d4679ee1b28e0c

SHA256
134a1597625c8b79243ef4aa4d09efa737cf72a11fc64021d118f8af9882ac09

SHA512
de6b3460362d2b33a039879665b1b7c41ebbd391f89f2c390ce96f80c6a99d5b1f8fa3d978a957215906513d1b1398339cd3e740adb5f6f4e29977abe674fe8e

Download Submit