8c6c88c5f5eee60219613dd1de8bae0aef85a97cd777971a18d886f87609472b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
Size

2.7MB
MD5

34ae3ac414a4387363852bf9889f4540
SHA1

88e37f6193017414174284b6c4169eaf0dc480b5
SHA256

8c6c88c5f5eee60219613dd1de8bae0aef85a97cd777971a18d886f87609472b
SHA512

fb40afc9dfb453b0ad1667fc09463aca79f11a8fc832986d0a1c7db1a981d7df211f40df38fb9b50243d46bcac897b18eaadea8dd7e1fc4f6f9a4e43c73f55e7
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4Sx:+R0pI/IQlUoMPdmpSpn4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1816	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9Z\\bodaec.exe"	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5L\\devbodsys.exe"	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
1816	devbodsys.exe
1816	devbodsys.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1816	4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe	86
PID 4952 wrote to memory of 1816	4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe	86
PID 4952 wrote to memory of 1816	4952	34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34ae3ac414a4387363852bf9889f4540_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Adobe5L\devbodsys.exe
  C:\Adobe5L\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe5L\devbodsys.exe

Filesize
2.7MB

MD5
6862c6f20e3e7d592e3566a38a4b459c

SHA1
ec2e5f2f6ec4bc9ae2148907724fe50c0338df6e

SHA256
050c584a2541c5f08e9d683aa66c0931139334ca6edb4d5ff7ac8cf6c041302b

SHA512
a4d71dcb87a511af3dbd61ac62bcc577f160228aea8529e2318347f77a5f3a99a5b8c28ba8790abe9946ef4978907ecfd718c78e9aac168faca7720a434cd413

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
6482c9eede5e234a8a4feb1c98f1ecd6

SHA1
d2f56258ea3230b2713d6daaf6f8316fc9848ba3

SHA256
4148184ba8e37548af452f5b43aac59df8274446d6b2178ee21edd6a9c84dbe1

SHA512
6b01392a26ab68e537c98e543933f6e63ea043a597e1b53df75610edcca7c8a53b968a34fda44684289199855427b633c60f903aeed0f378ae850c3ce486faea

Download Submit
C:\Vid9Z\bodaec.exe

Filesize
2.2MB

MD5
fb5842104aef8253e60ca42530a19bd4

SHA1
9beae6120e06a4c7b901e5567f5232c28e2c9b67

SHA256
ec3c9546b6eb6d7a7af5f86b0cc5fc19e743d933ef861bf5263f38a62d872a49

SHA512
cb962f16eba1aec464c09ca1e41bdbf56c1555f919256866aad70d452d632cd294ab01ca44a22ead5705b434c534aeeb32e2217fd74c744ad483f0c3328f9037

Download Submit
C:\Vid9Z\bodaec.exe

Filesize
2.7MB

MD5
02f969ddab5b162a6a0ec23707acb71f

SHA1
6a8514a96a44240503de1720aca675f612b24f89

SHA256
89a544b9b60ea8c93683bb81dd2537c9800e81bc4a0f80933b5425ca8a625d0c

SHA512
d6775a874e20ca0e309f87e388f3c718d762c8562d549ce3726220f602d2e6c5839889640eefcd8ed2f86f8d43f4104e4a519791c83c842b9edfbcc8167e4094

Download Submit