f9d86c23d34d87325b00eb1a64528a07a9318bc37bc6a037822b4a50a0ec591e

Analysis

max time kernel
150s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
Size

4.1MB
MD5

0c467a5be02983e34825cc0da499f220
SHA1

81a089f9825885cdeaec115fa68bb87abd6b5998
SHA256

f9d86c23d34d87325b00eb1a64528a07a9318bc37bc6a037822b4a50a0ec591e
SHA512

575957a0574b55164a71db0b4eacc9732b85afbcc6e3d48c0a1cca3d976e05dfd39f7016f739b382f21a3a7149e5b71a7a7c411452aec3892bcbf26c3b46006d
SSDEEP

98304:+R0pI/IQlUoMPdmpSpY4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmv5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4956	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLL\\devbodsys.exe"	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRG\\bodasys.exe"	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
4956	devbodsys.exe
4956	devbodsys.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 4956	1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe	91
PID 1144 wrote to memory of 4956	1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe	91
PID 1144 wrote to memory of 4956	1144	0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0c467a5be02983e34825cc0da499f220_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1144
- C:\FilesLL\devbodsys.exe
  C:\FilesLL\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesLL\devbodsys.exe

Filesize
4.1MB

MD5
f2189412f4894cee9202578e6b009d61

SHA1
04b8d5b7746bb39e10f795e6a1c9e34282828d6e

SHA256
20b3c0dccf15f258aaef00c6420f1e009f1db35175246228974b527e161f4f6d

SHA512
01f5be98091dd5cccb371a20dfefe39acf5aa0afa31b5962390f16426a0a080ff9f5e62780e91c9891856745fda501ea39a774dac01bcc12bdf77216ce2358d0

Download Submit
C:\LabZRG\bodasys.exe

Filesize
4.1MB

MD5
7f535a15f406e83dbd4f51c195b99488

SHA1
f699e1e99889ae1531bd60416ecfcd6ee894bc16

SHA256
ee712640ed70b65cccfa70cdd02f070966ae1d60f324150700e3ea04e8e0af83

SHA512
d0a431e62a6246d9f497b4f8f241f6779c453c8623278988355e29d0f6e16ed0d4ae99e2325ef0400c9864d187e374974f322fe32466f925ef385cc825c4615d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
40c3ce571e39222ef28fcd73c69790e0

SHA1
d9e2fcd5c3da143abf83bbc8fc522720946b3281

SHA256
d1cf4e32d39dcab8429f16a25422650c70073a8fbf7ba85ca37e0481a8e1d271

SHA512
77fc2e428c0f03333d1fb795822220887406c5d5a9cf1349d6818d3df10af01621d1e2245c8f5ee827dec9c031f1dc585be7282ddf50c94e4e71c19b94fc3315

Download Submit