5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 09:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
Size

2.7MB
MD5

6ecfd620d5cdfc6f490df65ccef4d070
SHA1

a84f45d60727d4fd3ac4025761ff5d384b3720c0
SHA256

5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec
SHA512

d2364eb63fd4d97a54eb9fbbde46bc686afb665103fa3105c84380a4a673124bfb16139f58eaa9f2511c0282521758acd22b45ef4b3995d2343371a83acdcf39
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBj9w4Sx:+R0pI/IQlUoMPdmpSpf4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2604	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZB\\devoptisys.exe"	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1K\\bodxec.exe"	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
2604	devoptisys.exe
1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2604	1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2604	1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2604	1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2604	1868	5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5b3909b4d4dfce5ae9e94dc435f1fcda23aca3be2a49ac867ae96e18a2f14fec_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
- C:\FilesZB\devoptisys.exe
  C:\FilesZB\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ1K\bodxec.exe

Filesize
2.7MB

MD5
732be3e5dd0a0d64b673a86fbc66b863

SHA1
8cff9fa9e8980e45067f9b8ddb0bf130b9382c14

SHA256
0814f0869bd17fe7c7c66a8e03b55ca67ab2379bc0cce4bb8fdf5fd1558d1161

SHA512
4043da4f84a07c766bd800f2444398ffb5fcc2edba35f4539a6374fead4b655a8a8f0931570db1446de4d9843ffea5f9b1944f3a5cb7146c40046c2b814d1ae4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
dd762af0e46ebf61eb15f5d60118e86f

SHA1
9d70669b650878325a696f773930be612ad4075d

SHA256
a4485e9516349050c2cc645dcdf73f788cc257e96f0031f382faad2fbde6a151

SHA512
d0ef5d5ae042b627a04ac93eda20b123962ae145ece831deebc61b4ea1368b767ce565be28670a269762f65ef48ba002f69a7d25f112d262f4f0a41592fec673

Download Submit
\FilesZB\devoptisys.exe

Filesize
2.7MB

MD5
fe176e089c9f336a824b1ceeb665d7ac

SHA1
4fdea2d2b4537d5d717a46ee3e61485ab0cd4911

SHA256
52e4901f9ca86ea8337ab7ce84c4743b2b8bf847274c07be80f7e624a8fb70ff

SHA512
14c0945357e4c4fab9baff3ebf3614df1b024ce542e85d012029b6a91981b270a667b8888383233f0ba4cb4b2a3487782c65633a707f0c27a78e4a7b66385c28

Download Submit