e1c4a8f5e7038a5d14d2e3fbcce78d2da1e8b9a5b705bb3a51c93fa7e528f806

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
Size

2.7MB
MD5

027f4ecaa38094f2c1e67bb2764dc990
SHA1

61acb7a9db73b09c3910596a13d55479485dcd6c
SHA256

e1c4a8f5e7038a5d14d2e3fbcce78d2da1e8b9a5b705bb3a51c93fa7e528f806
SHA512

75dd4d1619ca1289206c63ceb62cb36a66d61fec241c45b52c2eb455198d20d35fb7f4afdf4a9659b8d9dc81040419daad59503a9792756ee50a12880b331069
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4Sx:+R0pI/IQlUoMPdmpSpr4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2920	devdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1O\\devdobec.exe"	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRL\\optidevsys.exe"	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
2920	devdobec.exe
1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2920	1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2920	1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2920	1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2920	1976	027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\027f4ecaa38094f2c1e67bb2764dc990_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Intelproc1O\devdobec.exe
  C:\Intelproc1O\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZRL\optidevsys.exe

Filesize
2.7MB

MD5
f431ba78c2027f1f6f4373b72809c25b

SHA1
c9d3db23370eaaa04fea453e4e9ee37ece1d2080

SHA256
41b5d440458dfd946758f92b599ef223cbe8279d65f62dbb442ef015ed6ebf22

SHA512
ea808bc49ccd2b770caf66e66704d784afdbcb434fedf505de10d1005d760245ca7deba6573a5740d97617d69966c736dbc2a0bbbfcfc11a4879865d970336c2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
685fb3f41662a849ea98ed8fd53121e3

SHA1
9c5f42afad5e9006a8b61402fb84e249f41887e4

SHA256
1703957cdc914bacfb82a67a781385ec1030350eef9afd1976142b485314eab3

SHA512
3082db01e471569667c9d5419b7f976269bdd2224f44dfe134daa7625931e4ac6b0da3f539c72e30a0ae7ad206a731cbe4193662ebe53142a92ede9450cedf79

Download Submit
\Intelproc1O\devdobec.exe

Filesize
2.7MB

MD5
e3b0df1f6084d41cf9ec54f3f493539e

SHA1
33dcf74051ce4bd6b4c24c95e3863fd742a23964

SHA256
b18a757228feed1253ae040a2c3a31349c8582cce79049ffc6777873f664937f

SHA512
c1384325ee82483d96b39ba0dd7376c5ac287f8fc839621cc89069e294af805e0941ff61afeb06cf7ca6ec06606bdfe78404f67cedeb326749cc918baa9c1495

Download Submit