368e5fd0e1d62e7e1737dc76973bce95ddd380e9b5901b8ba5e47608971bf2ea

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
Size

2.7MB
MD5

e62a02c3997cb250303daca093c63660
SHA1

06553a6a686b914268efb174cdaa74fe6a9d0cab
SHA256

368e5fd0e1d62e7e1737dc76973bce95ddd380e9b5901b8ba5e47608971bf2ea
SHA512

ff6caa609e8568c9b51bb3549fe1efb777b868253d929d0712f4cdb5db78b9b5a3e8e2af21057e7d569669b6d801b8c53e75209ff352905358d5858e4c094e60
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1560	devdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7A\\devdobsys.exe"	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid62\\boddevsys.exe"	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
1560	devdobsys.exe
1560	devdobsys.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 1560	4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe	88
PID 4828 wrote to memory of 1560	4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe	88
PID 4828 wrote to memory of 1560	4828	e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e62a02c3997cb250303daca093c63660_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Adobe7A\devdobsys.exe
  C:\Adobe7A\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7A\devdobsys.exe

Filesize
2.7MB

MD5
f71a86eca5c7474b6709e593345d1bd3

SHA1
e2b5315375f21996ed20df21ae86bab58a84b69e

SHA256
6575582974104f8b5e4f5ae0b44d059ebfd4cbcb302eced25f86945810011f3e

SHA512
08c7aedd432f1dabbf3b91b1feb5fe59f8b1c9c697307097df39263bc1a40124aa31dba071ab404e200995f6a99cf7393f2a8171a0f2850f17e119a04821ac8f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
cfd2055e7e0395c165078585e453a3ab

SHA1
4a96941ae19730012722c98d5fe340616136ff47

SHA256
f72e8554c766c75f8b387e447cdbfcec6496eb6732dac45935cc0112a1f13018

SHA512
7ec78b1a472aea943305d9850cbbce8eb79b4f998f997b2272eff5eaf73ca2447324d9ddc737a1a72a94ba9d9dbc20176d41ec0ec9ff25370825f418f06d4794

Download Submit
C:\Vid62\boddevsys.exe

Filesize
2.7MB

MD5
1abf6f7e79dc7d2b6554981755b3fc02

SHA1
3e411e4be2e38588799746f4ac8b88141651551e

SHA256
16ea06736cf99128c8726adf8aef47a2fd85464c825672eab7cc6b18dc3620e3

SHA512
3abc52bf4ef0abd419fcb3df6c9facf7f654316fb318117a32ec83b69148a2f7dfa797c7207058856c5153ffac8ad148531198753775448f341c16243d0baf27

Download Submit