75173bab8fb15d74f91116a64626113a34af841c5d24a46ee523177e925da1d5

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 10:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
Size

2.7MB
MD5

428243aa08704d9c8b526686cf95cff0
SHA1

471b56b81e6b0bc1e8ffe398f59b92b6d1d1911c
SHA256

75173bab8fb15d74f91116a64626113a34af841c5d24a46ee523177e925da1d5
SHA512

0274f363fb3d06c83368d635df055373ad7271d93c3b5114fa5cc2cd371b61ee3cf2751a9cc86cf6bb45ce401321cbd920a7ac4fc95510fa818ca7467355b1b2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4Sx:+R0pI/IQlUoMPdmpSpj4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5076	devdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4U\\devdobsys.exe"	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRQ\\dobxloc.exe"	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
5076	devdobsys.exe
5076	devdobsys.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 5076	1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe	91
PID 1420 wrote to memory of 5076	1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe	91
PID 1420 wrote to memory of 5076	1420	428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Files4U\devdobsys.exe
  C:\Files4U\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1956 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files4U\devdobsys.exe

Filesize
2.7MB

MD5
2a9b24158082f083adf596dcc0fa5943

SHA1
d4a6d1634abc94e8f844ca2dc530b4ed542013e3

SHA256
49cce836c465aab077d90ad7f9c67a41f4a41f3646441dad128de4a8a9ec6870

SHA512
14f44d089fa6c009203dfd67634b0731baef1dbc7174026a5da85ea5d7344e7b3a22e3dfc96b23fabab52a8f1528d8c6f58d7ac08de1cab7b8c8283c0e5cb496

Download Submit
C:\KaVBRQ\dobxloc.exe

Filesize
45KB

MD5
e9f1c35cd88fa326c03b07610034db02

SHA1
84b21aab3b1e745f5005d594236c499bc6892d3f

SHA256
6d3701e4dded8faf0c9a7f29b51851ae759e62ea9667a0c52047ddbed1915c5d

SHA512
d48996f9713a650a8d62a3d07d5feeeb2691db39b97ff63f93d26aa3a6c15bbc9c09cf0b2dbcc0d7bd9ce86c10ed31937911946d004435661e30ddea1d2bf35d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
4e03edaa272bbc868173907c66bd79c9

SHA1
79a0864e6e6c5646ba7354580778d4c5034656a9

SHA256
368cadf7196abfa4e948dc7579ec4a4ecb0b48139b9adc8abfd19512cf4da9b3

SHA512
d1ed2c2d845467b321bb5f2a2b961c702e6daac7c0d7504c07472cc95275d1f213a1258a308fbed178907ee92b9dda787153dc409f60f9bc66b1c8093f84c5ab

Download Submit