3c379b6383bf9d321134e87edb7933a7cca6ef4d624a3fb0e79222f29b765ce0

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
Size

2.7MB
MD5

1529cb9a6748cc2d8d7b962d418ba400
SHA1

e053edf50510bd0ba6081e0e91bbb04ff330bf09
SHA256

3c379b6383bf9d321134e87edb7933a7cca6ef4d624a3fb0e79222f29b765ce0
SHA512

4d3dbd3bb814a8552914423577703910d6bf33ded825139520956b784eee8cfc04f6fa97c00b68c60c6d60adbcd1356dc3486308e7baa2e701a6374b7169037f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSpA4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1628	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7M\\devdobloc.exe"	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9U\\boddevsys.exe"	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WClocxdob.exe	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
File created	C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WClocxdob.exe	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
1628	devdobloc.exe
1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1628	1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe	28
PID 1072 wrote to memory of 1628	1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe	28
PID 1072 wrote to memory of 1628	1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe	28
PID 1072 wrote to memory of 1628	1072	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Adobe7M\devdobloc.exe
  C:\Adobe7M\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
e4040ed3dd04eb7906ffa45ba4c5b1cc

SHA1
00e2bae589a1c497779fed483b6e3f9d1fb9d595

SHA256
29d90ae9a1ae8c7cd74a94cd4cdd9921723f1d50ced62c9c3a2dd19d5166389f

SHA512
7d07c4b1f0df9a744edb1bd8c0126904f92e03cce73b7f85ea4af2fd842d5ae27e09c02bdcd95c76579a6d68e246c6fb241e7739bd547b9e446b4aeb3b82b84b

Download Submit
C:\Vid9U\boddevsys.exe

Filesize
2.7MB

MD5
2e4eec186d22697c0222e0c20b2f873b

SHA1
d1a7acaf3a4ceb55406600863752155af2ea2c04

SHA256
a8e1463b6ba9a9b71c10fb2bef6ab0649c0fb2be3234be99cb32e61f2d265f4e

SHA512
4e3c1e74ab393f1eff59f7d8a187a4af25db05a903f97a2f3d0fa0c43125f75a60521b114b985b464c0db0674198a2999d7f717512b5bffbcd8bf4d47e226d78

Download Submit
\Adobe7M\devdobloc.exe

Filesize
2.7MB

MD5
4ace8d4bbc0a8c07347e1c5438cedfd0

SHA1
08628e0d7d4482f26958b81584226eafe1f6f346

SHA256
22a7fa8ea5fb7bf2a10104f1474732ed48cce1624146c047b3ff5cacebe9f404

SHA512
8d16a18cf3bce2dc8581b66209d0f86716522452c77825743d3b31deaa25e4d30b7bbca8d568013c22906fc8b4e874ec15f206f5af0860d2cc076b37daa29d89

Download Submit