3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
Size

2.7MB
MD5

3fc593f8524fce76f18b229567d45d20
SHA1

d7eb7049ddcf011a310c07d9d9c8353e191e0cb0
SHA256

3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe
SHA512

31f5ffa55a1d7cbd011507bca7d1cbe7088b55dbb9a57eaba149646a5a3111fec2374443f9740600e46361890d73dcb6244199f80499bcef01a1d638a0934378
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBn9w4Sx:+R0pI/IQlUoMPdmpSp/4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3680	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHT\\devbodec.exe"	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKQ\\dobxsys.exe"	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
3680	devbodec.exe
3680	devbodec.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 3680	512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe	85
PID 512 wrote to memory of 3680	512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe	85
PID 512 wrote to memory of 3680	512	3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ab76cf88e53905dcb2ea4df35b0125c53c24fa75eca54520152cc5be02ce0fe_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:512
- C:\AdobeHT\devbodec.exe
  C:\AdobeHT\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeHT\devbodec.exe

Filesize
2.7MB

MD5
4bbf89f26b58687ce6583c41c9dcb9e0

SHA1
6f6fdb3c2c042780a4419de2b86ffa9f92e99ee0

SHA256
a05ddfe382642ba894d9ff90e46e793d8ef57748d481f79c7c4b31e394ea5ddf

SHA512
39b5b938d7357813ddea1a18743456d0dabdb9d89d870548872bd0953827d0ea32cd66d109a2707876c5a8cff7d1cf73b0446e2e225e0c67887fb3fb425c3896

Download Submit
C:\KaVBKQ\dobxsys.exe

Filesize
25KB

MD5
c7029369c014b701af5519cf91eec60b

SHA1
f90f11ecbb69f11bdee61486d016cb5434d31f48

SHA256
49c3175f676bfb91b578d248b72386d1238bd37e982918c02dfe6e10dc376777

SHA512
7c3b07bea20568ba916d8e2d68b9bd4d5ee97e72f00cda271e84ef59944b2562e31249c84511027af6d1f3d6e725a86c6524a3264e9bc72a0a895c3cbc1b0f2e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
7ed435e4ffff29a58c89dc51985c8d83

SHA1
a490f24b9188a87bd2cccce40a8d4e50dc638855

SHA256
473d46b6ede2ceb246a0b0f146a0ae643fbb2749072217ddcd8e71c32b719725

SHA512
bceb6694871d94743fd1381078f527701e3c66bc567afe79563ad6d288dce01c9b4aac45d833ec894a75ed2c2ea18380223f6d9a2550247066641f6efd4d02fa

Download Submit