2bb6cf1695905b045958583304026ee2e1173e86cc82271c204efb9c1436c30e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
Size

2.7MB
MD5

4172abfc9ca3cda77f3eff2f6d398310
SHA1

980d13bf8904a18bc31f83ce4865b98881fbd6fd
SHA256

2bb6cf1695905b045958583304026ee2e1173e86cc82271c204efb9c1436c30e
SHA512

a1247f987426f0b3181dc4478248b7be16960564bb6ac33f812eb990caf713eccb73387f748f162b71820e215ec406d84936e77a3201170bf552104e68ff3f8e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBd9w4Sx:+R0pI/IQlUoMPdmpSpR4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBY\\optidevsys.exe"	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKY\\devbodec.exe"	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'sysabod.exe	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
File created	C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'sysabod.exe	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2200	devbodec.exe
2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2200	2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2200	2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2200	2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2200	2216	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216
- C:\SysDrvKY\devbodec.exe
  C:\SysDrvKY\devbodec.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZBY\optidevsys.exe

Filesize
2.7MB

MD5
95b8279c924bda991c00e27b4f02bf18

SHA1
63882af9de1a70eb0dbfdf38ad011bb521466fad

SHA256
3459dbcdd37fde97e2951c9da9bd52e0ad589cdcbf9df66d11eb00a43c9805e7

SHA512
4cc5c7c4bc32a7621e02fc392d60b07df5d0decc1de5aec4c0b888cd0c9305aeb9b55bb7b3ac5392dec9380d2cbf7577372ac0e6f4a353701c60cf78de1891c0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
7607dd0317ce604d320d6098e83f462b

SHA1
b4c7efadcbe0dde83510b6143e79f871dbdb8d0d

SHA256
393eca60259525ed6939eb7f64a2b49a5416c4e4a752d21d4625e6a629ef8b53

SHA512
e54543531afdab995b543018a0a98e7f2a52c5863beb9fdd03e06feb3b68c473d4a4b047f9e9671c366ef4904d183fc3ba43d0a2ecb650601de9a27b184f8864

Download Submit
\SysDrvKY\devbodec.exe

Filesize
2.7MB

MD5
5a10b8e60be14eed65f1cb60b7e38abe

SHA1
60004709465cd8a5eb49e729d0662b4e3cb0c297

SHA256
49e09a671d34294a4116c083f96fbd137469f732ba98c9be724f490607a12a59

SHA512
7f10b50fffc98ce1f2b8d938606f3e2fb0dce211f4556c7a94ad54adfcbf9d031d6204deed96c55836e790fd1fb29f5de414f95bea8c572c91e0fa7b4aa0e9ce

Download Submit