6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
Size

4.1MB
MD5

a4aa5fed2968e57e0188f9b07cb2f910
SHA1

0b8ee0e995df0bb0a6c75f8bdde280052ddc5d55
SHA256

6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812
SHA512

eaf945b13063eff8b8ca57cdc99450648c902957cdabe34500ea490cc935148a3022b789b6d02fe435fa4d3b1246b25b07ea679007dd276d73b20e633de8892d
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmU5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2928	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc11\\devoptiec.exe"	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPJ\\bodxec.exe"	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
2928	devoptiec.exe
2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2928	2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2928	2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2928	2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2928	2232	6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fd4b5d976e95078948dc8b29dc92dada9128448287774e8b1c9fa4555262812_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Intelproc11\devoptiec.exe
  C:\Intelproc11\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZPJ\bodxec.exe

Filesize
4.1MB

MD5
ac4a8586b2b911cb90358c76c2ab4251

SHA1
532a07c8600ee113629459324606e2de84059c42

SHA256
39f02b8d944a758564b1e9daff3248b36473f1e79eb6aced6fdced8a9a3e68f6

SHA512
2064e10897c03a47e60b427f59f908431ab36076d6468ddfe664d14eccfa6e72e12d31f39f9d30418910019888029021a52702469236700fa4427771fba722b3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
5bb5b93289226de009903837054df2e7

SHA1
9861297472f566223fef3bd28105f299cc62e039

SHA256
6648c842d7e2800a97ef9c438231ba62a9aa6020719f07756a78db50c988ee6f

SHA512
cb31f3f3f8d1953e11135c20a58988e39dc876bdfcb8237b6503db22aa657af93321cea98274e6a10b436c07d624fd1815482be112f9fe482bede4b6ac926c85

Download Submit
\Intelproc11\devoptiec.exe

Filesize
4.1MB

MD5
80fa438d54e5eacd636a88694bf46631

SHA1
cd75e76b951a7c7a2f3c6bef70ff8c458760bf42

SHA256
d3a49f6f37cf8cc335d80f92f0b9d0e81aa15e61e6f8d3b987f9a4b49ff8c6ee

SHA512
b8a3226d1b982bafdf52ec75415b42a1a0cf0e462b8160a5e081bd807364d365e95bbff0729f2740d4d5872d8501e0cb85ec9086b29f314e56a482e4fc997c59

Download Submit