5c4f2d43e4ee695044784740f11b9a7335c4697c7e41acc4123b552f272415a8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
Size

2.7MB
MD5

819dedc62b13a9cd64fb3685fb293820
SHA1

3766511f76eae5b23d3be9eb4cb10665ed073283
SHA256

5c4f2d43e4ee695044784740f11b9a7335c4697c7e41acc4123b552f272415a8
SHA512

6fe6d1f253bcfb6f586a3e7c621f7c0ad9796140bd3390be4305d204f0b9f508b32df475a39a50af81bd107f6aff623820c2bafd417b3c4176a0e66b4ab61541
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBe9w4Sx:+R0pI/IQlUoMPdmpSpo4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1068	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocK1\\devoptisys.exe"	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBO\\dobaloc.exe"	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
1068	devoptisys.exe
1068	devoptisys.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1068	4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe	85
PID 4968 wrote to memory of 1068	4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe	85
PID 4968 wrote to memory of 1068	4968	819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\819dedc62b13a9cd64fb3685fb293820_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968
- C:\IntelprocK1\devoptisys.exe
  C:\IntelprocK1\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocK1\devoptisys.exe

Filesize
2.7MB

MD5
c0a4d64096ba4817fa4ef91ff2e7091a

SHA1
10638debabba35576abf60ac4fae2043b9b2990e

SHA256
8bc1a920abbf539ad43ee8049dcde45e221c4b2407317a688df2bcac47838e6c

SHA512
952445be8072343df0543fb895efd853fb1e1fb263c4d9ea084a4e16440443ec45df22fd5d4af4c2434ed99944d68dc83a956e18d18962d83c43c7e9531fd344

Download Submit
C:\LabZBO\dobaloc.exe

Filesize
9KB

MD5
bf965ee8f9d95b943a5ea888a522c44e

SHA1
69326314abf4da6764942ada42d063b44fb707c9

SHA256
13c64f8ad509d213565146a5459b79218788b601d1d572943dfbacb755233c7e

SHA512
c5b066aa1f9c4aa2d78f788c9be796bc4016f479bb94a04aa8acc989526f1637cb18b97eefb4cc366cf3b29b7f7860dfe7860a23ddf51ae21401c53b0004d60b

Download Submit
C:\LabZBO\dobaloc.exe

Filesize
2.7MB

MD5
7b24d5dbb805d38927aea880bc85079d

SHA1
2403c1a6903780489299186746d9b6f229e34fed

SHA256
9ddb686dc0817364bc6c304055a3be222e17c60c85f4f104062e59af359396bf

SHA512
78c91542f2d572f445cb8e7903c1810956e6ffd33e0717108a446a0355ee5997c9961d93e5df6005ea30c88a3d8bcbc729699dd431fdfcc6e8adcd5ca5917d9c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
3db382f918433362240e695e0e64aa8b

SHA1
0069d412418cce3d4c37338fe7967c421a87bef5

SHA256
cc75dd3f8e019907ef3d10fc9555e0a145970a5d936c23bf1b2ec3ef282cdfa8

SHA512
dea3b1ede4c852a47fe5651cc417a22d813f19af77664497312906ce69dcdb609c9f5891d619aee41f33ca6d4a13a73114c66a845373e3d96c9a9059206b2e0e

Download Submit