96ae24b099f7c2d76addf0d1f01aa7631bf59aa3c20269974937dfbb3104e450

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 18:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

871779e9328e720369e620739d699620_NeikiAnalytics.exe
Size

2.7MB
MD5

871779e9328e720369e620739d699620
SHA1

7a17be6112ca0257a18abeb1689fb071d9897376
SHA256

96ae24b099f7c2d76addf0d1f01aa7631bf59aa3c20269974937dfbb3104e450
SHA512

1ae9ec03205a62849565f224c4f2221cfe0ed22ad6dae079e04fe0a0d9aa1293e200047d2e697a91ee31cafcff26f9d2e2e707e3a795fa5a29600c71fcca9a13
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBG9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeD8\\devbodec.exe"	871779e9328e720369e620739d699620_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintR4\\optiasys.exe"	871779e9328e720369e620739d699620_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe
2008	devbodec.exe
1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2008	1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe	28
PID 1276 wrote to memory of 2008	1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe	28
PID 1276 wrote to memory of 2008	1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe	28
PID 1276 wrote to memory of 2008	1276	871779e9328e720369e620739d699620_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\871779e9328e720369e620739d699620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\871779e9328e720369e620739d699620_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276
- C:\AdobeD8\devbodec.exe
  C:\AdobeD8\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintR4\optiasys.exe

Filesize
2.7MB

MD5
574c30195659d101773db4b80e4f7fc1

SHA1
378eadb6a906d89cee772adc822fa30850ee5ba2

SHA256
3b06714840bfa0316f59d33c54679c99b1548da2c96a8a8eee8653b010727313

SHA512
09fe67d5216b454d5c7853c60df2b502e174599397044cdef3f4d3c0cdf855360aad0a3b3368da9d4827722f4a4f0362058b54a8368e51f350c1472b3f38067c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
7fc04d381abb76c39bbe3490c80778b3

SHA1
b6133ee53295ea2d0663c88c99b6c04925eb8dde

SHA256
fa85ae1e8f0a8f91eaa519039104c5d007695b550dd05afbd00cfd9ee2554ac4

SHA512
a3d7c059a0372ea9dbd554f38a88f3e64c4725061eb71e889f412d10d865b8d355aff0db712cf4a6124ae0a17a7112d2a60093a7ade2f72b3169de0677dafc37

Download Submit
\AdobeD8\devbodec.exe

Filesize
2.7MB

MD5
ed1c9bb9f491c1d4ae6655049b0d1c4d

SHA1
ba4259548b3032fa3fc710457fcb02a5a995765d

SHA256
32011c15455654ce436c6bfe822284f31b053e6d29d95ee4e65854378b7dde62

SHA512
d54e8fe8ebee033f889d91722f55d712af8626154c577571b8c4c92258c770ad6a33988ae64959e00110a6633c54d1972fd75c61c82652d49cf4640878e8c125

Download Submit