7c17210f74b943b532b646ea9c62342a276d1fb15914353c2de5044532e917da

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
Size

2.7MB
MD5

9edfd3a34cdcea468f6b2ef2667d3910
SHA1

4d5686b0d01c4eae9d4ebf5366acd0deabed1b71
SHA256

7c17210f74b943b532b646ea9c62342a276d1fb15914353c2de5044532e917da
SHA512

0e607e3f2634e5945a53a6df4477893da6b9d96e21a0e40f11a4038590847ecdbb978a1548307a3969aef52b9d7ad3d372e220858461c79ea008dac6e88e6286
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpf4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2956	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAM\\devoptiec.exe"	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidKX\\boddevloc.exe"	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
2956	devoptiec.exe
2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2956	2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 2956	2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 2956	2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 2956	2940	9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9edfd3a34cdcea468f6b2ef2667d3910_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940
- C:\IntelprocAM\devoptiec.exe
  C:\IntelprocAM\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
1132b4ac873363ca251bafff900a7a21

SHA1
4614d123be4adb9b0629b5f864d27b66c15e8854

SHA256
61be8bc6654f0610fae587a67d83c36cd5312b903c7c98cae8604760875f1d9a

SHA512
c8a499b14ab712b34d84c53f46959ad5689c0284a99397350a00a6ef99c08e97cec7a7332efbca5e03fcc4e4d786a5b3141e4adbb4aa1087a756c0832dbe5b5f

Download Submit
C:\VidKX\boddevloc.exe

Filesize
2.7MB

MD5
12a1ea620f759c670bc933c9d93feeae

SHA1
7ddd8ffaa81558eb9090f87e75809e9cd2fb64bc

SHA256
19716c179e2e40632039593b0c3a12c4de72e8e4dbd471b61cc191896457e792

SHA512
89d3e34b6040de115c5f3c3c04c6faee570a9fce5137cc99bdf37e1910b694668da2547b6ee3fb284ec02bc87628713e53a95795673d23928cf30b99a0698b20

Download Submit
\IntelprocAM\devoptiec.exe

Filesize
2.7MB

MD5
695fb79e434ae57ff114a12756d53058

SHA1
f133946af4aaf002da4742e498a59d5c73813f22

SHA256
6c8895ae305f72a29f8608164b5423df47e29395dad842a168136e6d0ae1d857

SHA512
e3b91e09593ade4a3d98609c2b574b50318e86e27652dc4a9500a1d11326725f1557f361c1692bd43410b40154e7de9ef72fd4c21c356060d47fd69e906ffa53

Download Submit