227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
Size

2.7MB
MD5

5673891ac255cbbc51cc856b832a82e0
SHA1

169dd99a62aefe952ef781dc6fb61774d65b52c3
SHA256

227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695
SHA512

7db1830da0364456db37637450d2de175638ae07d223965d4a4540f4c4a53e1893b2554b634b70ec96e0f624e4437cfb0f2f0dab776b94442bf88c26ce339529
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSp/4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3596	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOT\\devbodloc.exe"	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3G\\dobaec.exe"	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
3596	devbodloc.exe
3596	devbodloc.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 3596	2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe	85
PID 2144 wrote to memory of 3596	2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe	85
PID 2144 wrote to memory of 3596	2144	227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\227459ca6385a0a89c0de29a9f9c12a969fb7e9bae22ea2de975aac65f32c695_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144
- C:\SysDrvOT\devbodloc.exe
  C:\SysDrvOT\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvOT\devbodloc.exe

Filesize
2.7MB

MD5
9e0c43b41a4eedb189d7ccb84230249f

SHA1
565337604a87cc0eb5fafc51e7a4d7083d3dea4c

SHA256
b1fae7f460d637d1bf34996c90e3a04338321fdecc3d93977e2f6b3224c11784

SHA512
e65a411d3456204ded8607ff32ebb810ea37e2e47b53911f338cee0a158f43da71370e37c377aa5da60be79bf7fd6c320dc310b06c4e324af24a733b93aff5be

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
a7e43f4b956b1b38635f38cd1bd54380

SHA1
f15cb3ff87405f2949b0688cb873287cbc4bed67

SHA256
0190197e810149e232eb837454e27959bc256baea41ba75e159710695b25958c

SHA512
2a687e0e64306cee2da873eda4d99b40b7339c91d2979c525d3a39b0f545e6309184a10f791c6adc3eac1f91bab1911abe21e4746d19787bd3d88acfb9c40072

Download Submit
C:\Vid3G\dobaec.exe

Filesize
542KB

MD5
9f612aa253777993dd1e1efdcef2ef1a

SHA1
5a3018f0ce7e53d63454afdfbccabb43d32abc8d

SHA256
a4d08628c6884ce52a0fdd3da2f6ee2205e525753f5b1580b355de84877cdd34

SHA512
8c7934451ce21ffb447e6f9f39e15afda71b070d9bb579dca93be259a6a288780f84c4b2008599f168cfda09f7d4d766448ba235bed69613549e4789e5b71f13

Download Submit