Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 07:37
Static task
static1
Behavioral task
behavioral1
Sample
69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
69bbdd449ed40e0c8f7f1fd845e74cb0
-
SHA1
c14942952ee90682f5ab10b197f9d96ee9cfe891
-
SHA256
754c080edd00c5b98054c0e24327c4f57210c82a227f796894fe940b2f1cd154
-
SHA512
8456c18938b141a153c3e0b6be96826187688cae602f53f8e27b3cff8e5078f670b39f27b07ac72f4fce55652b2c99ac916282d4a440491c14297470f5e6f930
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Sx:+R0pI/IQlUoMPdmpSpS4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2968 devbodloc.exe -
Loads dropped DLL 1 IoCs
pid Process 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9M\\devbodloc.exe" 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSX\\dobdevec.exe" 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 2968 devbodloc.exe 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2968 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 29 PID 2140 wrote to memory of 2968 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 29 PID 2140 wrote to memory of 2968 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 29 PID 2140 wrote to memory of 2968 2140 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\SysDrv9M\devbodloc.exeC:\SysDrv9M\devbodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5bd6e0936e1675b85849a7b7771cfe4cb
SHA17386b65e0ccbe4b0c8a68f02dfd457f046404227
SHA2564979a275983931491f9aefdbdc9e8de6e9ad79b550cced5dce7bbee8fbbb483c
SHA5127fe4e29e0701f968b2a471bee68ee3fbe746426d9a153eb5c5dca754c022349302677996b11d32e580a645311c22491eefdb34a7082d2221219a64c46c114c7d
-
Filesize
204B
MD5b7eff09f91abd1aaff9b4711c489136d
SHA143a87a2bdfbab7731fdeb94457d010b172e01c0b
SHA256ce2be07f8bf0ea70aed9e8bad588020003bf3dd950ecc995b05c56aa0a063cd5
SHA51274ebeceeb3a30bdc363bb70e162f097927e9241a19f413b3e860240e82f89ee2665943a3fd1e35128c46a883b015712b6269141acec371f688afc54bdcbb86d9
-
Filesize
2.7MB
MD5c384716967e21c9c7aaa447fbd6114dd
SHA178f94c74eac0221f23ebe1ab4992aecd312a377f
SHA256b273fd702e209fc5725fd4472e6e8cd2ede28b405807967c07b0be7538029b9a
SHA512948e3af733dead1cb386c59fd349036d56c1986e05fa8a14e9a80b1aa19653d430458e40d05479eec7e302c711f40269c83315207533f6d8831b997473f7d83f