6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
Size

3.1MB
MD5

00e3e21b6cf3d704d56862e9d0f8d380
SHA1

45301721de511dfda3bf53075f2e568aebe23e45
SHA256

6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90
SHA512

e95de8611b47f4eead1352dfe400e410b229edf5caad16fc308036f0e5006bceee0320ffb404995644200034e7d2c1bc7401b878040a9abc4c79a4dba0691ea2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBs9w4Su+LNfej:+R0pI/IQlUoMPdmpSp+4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1600	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe76\\devoptiec.exe"	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidT4\\dobdevloc.exe"	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
1600	devoptiec.exe
1600	devoptiec.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 1600	3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe	89
PID 3128 wrote to memory of 1600	3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe	89
PID 3128 wrote to memory of 1600	3128	6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6295c6448a431b5417e64b6bf6e1c47a41fa6365df9af3072c83a6d8f7b7fb90_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Adobe76\devoptiec.exe
  C:\Adobe76\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe76\devoptiec.exe

Filesize
3.1MB

MD5
6c40df96316c1fb53800f2d512ab4197

SHA1
2a1584439de7acee0f778793d793efa9bfc8317d

SHA256
582d139ec58faadde554dbebf76bba68efa774187d25c4c4360e8e80730a8abc

SHA512
319f513ea9a97d47ae7726458f887fa01dd1a99d2750e3b5b8956d6bc8baf2250240f51c22aa571503e30b36a695401b8fcb84d43107744448cb2577a5e817b3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
eeab7615b522c11d098ec2d562749fa6

SHA1
35d68b5820c284c3795788ae65cfacc8ccf58689

SHA256
04914fc9cf895c2596c84b9b4b9e33f5235c5792d5f4a45649a952d1cff3b236

SHA512
e7d169901e9de2956ee67270adc00ef4be65911108fa9e18252829634eb35a78210500fde3bc8b3b9d38bafa979b2a02a7455565771a4af4ebe09fb7a036a479

Download Submit
C:\VidT4\dobdevloc.exe

Filesize
3.1MB

MD5
e3d0bcb3076c3970aefaec93727689b8

SHA1
6bf7dcdd341b93c06164b9f68d6831470f572485

SHA256
ea3d92db29ee7fa7afa5d499011024da1e90c3b776e7fb6a782302e1856711d3

SHA512
fd861fe24ce0c6c71374c1d0b1ec269c01efac8543cae70bb95d02d4ddba3a79f32891842905a37e9aee97bbc86df8622747a1cf7586bf1b6f984b7b5a8bb903

Download Submit