76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
Size

2.7MB
MD5

2649dc03a660a93d51e5a255764c2b70
SHA1

c39c2d20a67151dc6061a31fa1e1425a2cf5e26b
SHA256

76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768
SHA512

0479fe230358cb2a4122ea7434e48a81ae1514b1a9af7d61767a4c733b6463f172595f26e2b26f3d01fa197df7a8c4dcdba18035c16e532350c63e6ee7c3757f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpL4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1500	devdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0U\\devdobsys.exe"	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAL\\optidevec.exe"	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
1500	devdobsys.exe
1500	devdobsys.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1500	536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe	88
PID 536 wrote to memory of 1500	536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe	88
PID 536 wrote to memory of 1500	536	76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76b9286a1578eecb26f1903661e04b09a53f251be6c2c3dd2913adf7415c4768_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536
- C:\UserDot0U\devdobsys.exe
  C:\UserDot0U\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot0U\devdobsys.exe

Filesize
2.7MB

MD5
02dfe7b522f40976f2c6384608400a43

SHA1
15f0c40ea11367bc9809f3e54d500e407dc38e4d

SHA256
e9beff4282862fab35fc8ad4b1ee6dfc7a266e991b3eea29d82556d2f1c1440e

SHA512
4ebd96b9cfab61f929860761641b86c05a78d1d99700c4a7e54c8633d7bd81a3a13676f6d357eb7d4de91a0fc0ce80c29b056c300dcb904c5296f0ca2d8fa85c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
210B

MD5
0b20a4f6e417702fa93548a308946cb0

SHA1
bbefb7fb7792543b9df087d2ac03ccbcc6bf3ed9

SHA256
b431efa7cffc640dcad7d9aab5a94590e7f23a7152bd2ae1eba057e140c6dae3

SHA512
e28532a7c45c703997d0233b514b8bdd3f53c0eebf2b0ba4b7e77943eebb0c2ade05d94cf264efd9f66b080c958d6c65d7838f365b521040b90fdc82b0331c64

Download Submit
C:\VidAL\optidevec.exe

Filesize
215KB

MD5
6f4d48303718d9240772ef27378f4d8d

SHA1
765ae0f2a1ad82d49548c0e5f3248976626a83af

SHA256
20be322d14d645fa7e012e0ac70f2d0b221f8289c1633fd0115f5a4cb030702c

SHA512
03059c399f69cd209cae4e7e2b7be5e1dcfba3667af4cb4f3ee0792b78b8585e205f40f57fa4b547fcdb7c1d027442be4e60b80d0457dc34cd82dcc54494e32d

Download Submit