44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
Size

2.7MB
MD5

7c417d2dbf7d90ddb9234a0dd0704650
SHA1

1e836992f0f46d31c6df2427f4db8b9faacd67f9
SHA256

44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce
SHA512

f85ac9a07af23ca4984533882b83a7723dc44f5f86e8a31c30d4f8a8b866eed5a289b31733c9c44ca4b348b0614b96e111cd0f5e7949a90f9e19630f4abd95d5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBv9w4Sx:+R0pI/IQlUoMPdmpSp74

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3256	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDR\\devdobloc.exe"	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCT\\bodaec.exe"	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
3256	devdobloc.exe
3256	devdobloc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 3256	3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe	89
PID 3364 wrote to memory of 3256	3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe	89
PID 3364 wrote to memory of 3256	3364	44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44977d0776ebea25223efc659df79a40f1803808aad16815d81ea77ef3d4dbce_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3364
- C:\AdobeDR\devdobloc.exe
  C:\AdobeDR\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeDR\devdobloc.exe

Filesize
2.7MB

MD5
a0ccacd1fa27cdee42ea2625a95b6e60

SHA1
409d67ce590148cdb0135b1edfd5cd80f1226281

SHA256
89bd36e92c93dbc852976d15438b98f2a6a02e0ab37941ddbe2abbda25763a68

SHA512
5d257d33cb5ee15c8adc1b97338d40a6d186aa42b04613683e303b23e84363ac3569c54c0844bb7ad93336d59c1427ef804d8742d591c78a7fa41bef08ba0350

Download Submit
C:\KaVBCT\bodaec.exe

Filesize
2.7MB

MD5
3ae4fb4e6fbf25d8855a435fbeaeef14

SHA1
aa479d3a167ff592ba4c0145302066f40c237562

SHA256
0b303a4dca5e2266ad8a90d825defaa2d4ad3b02517b35f6fc2375368c2b99fa

SHA512
54fe05e0fd04e2b5659fe18c4eac41c46ebc39f4b480b724349b60727de85922a48660e4c656d066ae9cc91644db44247721e86ea6f162000834c5996a92b04d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
7f4898d0ff6e1425c7076f570e53577b

SHA1
6a1e9d9e252faf70ade77198b74ae6e996bd07fa

SHA256
f4118877ba0dfe68a7980ce9a501cbb5c9db4ec476d7b1de6fce4221d93def37

SHA512
6ddec99798b164862802f7d1017e20d396a14f94563af5b8c32d23abd9f2ffb9936cf94dd634c1728a87a2f59828f808bbbc9a9bb8d65a6d9167125b8d21ee11

Download Submit