76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
Size

2.7MB
MD5

2649dc03a660a93d51e5a255764c2b70
SHA1

c39c2d20a67151dc6061a31fa1e1425a2cf5e26b
SHA256

76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768
SHA512

0479fe230358cb2a4122ea7434e48a81ae1514b1a9af7d61767a4c733b6463f172595f26e2b26f3d01fa197df7a8c4dcdba18035c16e532350c63e6ee7c3757f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpL4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	devdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUB\\devdobsys.exe"	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxB2\\dobdevsys.exe"	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
3008	devdobsys.exe
840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3008	840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe	28
PID 840 wrote to memory of 3008	840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe	28
PID 840 wrote to memory of 3008	840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe	28
PID 840 wrote to memory of 3008	840	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840
- C:\IntelprocUB\devdobsys.exe
  C:\IntelprocUB\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxB2\dobdevsys.exe

Filesize
2.7MB

MD5
34616003494371c6b271806419968a0b

SHA1
dfcc96e884585dcbaee7f08d0392963f800e6636

SHA256
9a43b388868831fccf641741b6339572a105a8c84ed60d8337a505f0c8882e83

SHA512
f3954ad4426a3207f1bbe17af4f533af1829c1f7ea7972d6f395aff64dbf8c3d02f654a2d1b123c1e66da22a0e66cb321f44221a3d7f46696cdab208ca703b9b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
211B

MD5
86a2859a47aced9790ec2a602638be52

SHA1
59a4b494c7eda4329ecf6bd48c7d04ab53e393f4

SHA256
b8e97c6d465e06b3309301a3ecdf6475f3eab9dff60f018a1dcf1770d08329ff

SHA512
12f8e52d286f323a7bc4a0e6cac6f500c88727096165ad82156c27e7dd60d43229540daa91fea6cdc0a67f9186d37cfb8a147c01c6b916cd9b500ebf290b573a

Download Submit
\IntelprocUB\devdobsys.exe

Filesize
2.7MB

MD5
b73bec49d3272a29c57ec52097b83c30

SHA1
b103df643d0d7a1ed7f34c43c0a1ee2284b43d8b

SHA256
1294b8e48cbbdebb8f05e97fa3f1243d24e87abee7407766e26b4fc21087822c

SHA512
1d9df5fd741e062803df0cbcff9a3fd031545a6f1e30deed6913dd483569c801cd557ce073183abef602d9b52d805a63331bc08dd1f4d538ca3d27ae72ab4339

Download Submit