7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
Size

2.7MB
MD5

a2175b6ea9c69be8f6880a80bc2a2b50
SHA1

c9df94eadac113b8f4258feaf5686087590e386f
SHA256

7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca
SHA512

f373870cb7f52a302ef84c555b8ce61b3784cb67d080205a858c9321b9a024a2b9286c9f40406a83afabb506d8a8691bd7b6ec838c9ad80189c249eda35138f8
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSp44

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3956	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWC\\devoptisys.exe"	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZZ\\bodxloc.exe"	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3956	devoptisys.exe
3956	devoptisys.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3956	3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe	81
PID 3788 wrote to memory of 3956	3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe	81
PID 3788 wrote to memory of 3956	3788	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe	81

C:\Users\Admin\AppData\Local\Temp\7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3788
- C:\FilesWC\devoptisys.exe
  C:\FilesWC\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesWC\devoptisys.exe

Filesize
2.7MB

MD5
0f3f0d9f2c3da3354927f1c4991be7a2

SHA1
ad97cfab5e0f30e761021280730f61f2834e8f44

SHA256
7f79f8a93cdd3b8e4580af872d58ac6b3a15c006237dd1d9ccc031f22df2303c

SHA512
aae4a1c0a4b349f7d0645954f9dabfdcf8e5c9689887cc33ade6077d6d3cb92114a7c960bac7e0952024ee0410c437aa1393c330cfb7a2803ef0b3c616f7d736

Download Submit
C:\KaVBZZ\bodxloc.exe

Filesize
2.7MB

MD5
4e71c5ebe9d31a55988390b7266c948c

SHA1
26a5a117de61823614bd85d72e34e201b1ff2f18

SHA256
40b5656c7b34284e2b6f9f33cf8d8a6fc255cbb8e9ec0982396feb565c81632e

SHA512
efd85e04eba11c70228a6fa4cc92041492322a05658748cd2a63e9cdb48e7e2352359654d6c979276237048e3af555ed50fdaf9e97f779ae555cbeb124ea290a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
8fb43ace655e499fd60dc9f73dd57c26

SHA1
6f9671a3f5af73ff222080527c4dfc0f587bc544

SHA256
3c325ef2058fae779d41ec7a77432cccdd270bcf517f746163b6e96afc7dd030

SHA512
468ada2679070599a048122111da58f89cbe0c4d1243570136e51ccd5027c5b3630f27fd444211d0d9a2bcb80caa54a0362aeac277add9cc3630359220c7e9c3

Download Submit