2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
Size

4.1MB
MD5

8f1369ae44d1518767649e616da8d5c0
SHA1

34021d0e54e5d3485606a7f3beee2f915b18cdcc
SHA256

2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834
SHA512

448b9aaca2dfc52f760a3c6e20633aa6a8ce9405ada1d65de268d17b97aaab43a2efa70fa3e36bac3bf6ef5e48a5ef53e50782266372d1128a832edad2a93913
SSDEEP

98304:+R0pI/IQlUoMPdmpSp34ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm05n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1212	devbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRQ\\devbodsys.exe"	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidS7\\bodaec.exe"	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
1212	devbodsys.exe
1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1212	1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 1212	1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 1212	1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 1212	1740	2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2fc06a20fb9bfabe762bfccd23028c33c3ace035e8c7974e6f49981d96030834_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740
- C:\IntelprocRQ\devbodsys.exe
  C:\IntelprocRQ\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
ab8cdc63eff5f574e7af23ed097b59c2

SHA1
cf54ec9675d01b720a911193e7b72bff11907aec

SHA256
9c8bc2ec429cb85bdd14c816da5ef04245129948b81376da397aae87ce8d7b8c

SHA512
4f1f01824a025caa4979e0c3ffc1e202d226db3a478886645524b378f6639d88257c40652933d9eb5806c32af07ead7915c30759fc5f82020924d27131c58c99

Download Submit
C:\VidS7\bodaec.exe

Filesize
4.1MB

MD5
ee81fa97bf5467811fe4fad3baa9453f

SHA1
d3e9a00ae20b751ddf021103d5a7d5dcf66f025a

SHA256
c5b523d48c8a16c84f3929ca10dbe0f600ad8641a74256203b188aa9761ce7d6

SHA512
166a4eb41de3b9056d24565dff1fcb15281c452d9d73ad6c399f9b7b704b51f9d61a722e44d1691044d6106aac8e3849889d85a9767b0bd3558ab0bd7a74c0e4

Download Submit
\IntelprocRQ\devbodsys.exe

Filesize
4.1MB

MD5
6b1dc3fc2b843c37ed652252df042d6e

SHA1
49dbcafaee252f3a1396e73b838fa54ccb2875ee

SHA256
432600b262ac96c2438d2f0f116c5386a64eb0511f1fec11263836b0a7c7f7de

SHA512
3adcb9d626275ac267e86e52c296ea65d89b60e4f8db16b67a4276880fca235a0d2cb29f01627a1da852fe9a81f7041c8d55543e68b6dc2ab4e8417f8c145a33

Download Submit