26ee8c7abbef66031f2033a8ba70e542c4e857fa5aa9de81ebc75bbd2fb5b3d4

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
Size

2.7MB
MD5

3eda31eba6c2817b136f4a27e78bbd20
SHA1

b587382f415551ef4a9e2b3c13f86ea97b45bb4c
SHA256

26ee8c7abbef66031f2033a8ba70e542c4e857fa5aa9de81ebc75bbd2fb5b3d4
SHA512

f1f4db713fe2576c118cd18c19287698eb9f5371e252fad9952e2d26842dfc8d4fe3b555d938f15deca42979872f522f82473328157bd12b4c37ed5d7c97b0c8
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB99w4Sx:+R0pI/IQlUoMPdmpSp14

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	devdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUB\\devdobsys.exe"	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxB2\\dobdevsys.exe"	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
1936	devdobsys.exe
1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1936	1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe	28
PID 1716 wrote to memory of 1936	1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe	28
PID 1716 wrote to memory of 1936	1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe	28
PID 1716 wrote to memory of 1936	1716	3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3eda31eba6c2817b136f4a27e78bbd20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716
- C:\IntelprocUB\devdobsys.exe
  C:\IntelprocUB\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxB2\dobdevsys.exe

Filesize
2.7MB

MD5
b24fe7890889b33fb299c000d54bf7ed

SHA1
bf007fad90ec6ac434c761d88ebe178ce28e0355

SHA256
7ec8ea855ed469a38a723c687096eb0c8e1def8f65fd215cca2378a62bdf9dcb

SHA512
dcddab3aab807cc52a8f0532ba52311cca0ad150b2868ac6eaf6bdcb6a219f06b05889e0bd1fe6573b374a5bb770ed2801daca1187b1d44ee31e9169a701ccf0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
640c2dd71bb59b1335a2473df10ce53e

SHA1
f0d12b9935652f5b7397a13df9996da6ba334ec8

SHA256
084f1faab374903d62840f37feb1a0ea8b18f3aa880e6ddf815bc236da331bd5

SHA512
5d7e8801a83a25d3ab34166a97e64524f783a14905b1d9dfbb6b54344b902b7ea2359bf3bc38ad1557df7d0eac617c801e51e94a41e1af80aebc3ca03032b659

Download Submit
\IntelprocUB\devdobsys.exe

Filesize
2.7MB

MD5
880288e4ec7454d7c362e858ae806c96

SHA1
cf3de7167d3832c7f5834cd81ea2ed3f2da8d840

SHA256
0cd4d098188db52c684f27b6a3cb80424277403e4bf498f347e5d96e3430203d

SHA512
ade1a779291d17b93c9983ca1da54acf0f8f763414b13a2799906334f446291942ec7f94ccd24f114bc8412b2e3349aebed395c384578d06433ad94ffea2514d

Download Submit