779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
Size

2.7MB
MD5

99a06e707688d8b31a1baede6e7db2e0
SHA1

3036553b3761cce90a620ed62ce1f0983a0d577a
SHA256

779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14
SHA512

96b49ccdfd4f51b65660d5a408a884c8b8faa7ffd0731ebc712dd299ee4275d0c390b21893a41800ff4d651bee59cab500bd973269e05c49d8842bb227f4d742
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBF9w4Sx:+R0pI/IQlUoMPdmpSpR4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2432	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHM\\devoptisys.exe"	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR6\\dobxloc.exe"	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
2432	devoptisys.exe
2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2432	2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe	28
PID 2032 wrote to memory of 2432	2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe	28
PID 2032 wrote to memory of 2432	2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe	28
PID 2032 wrote to memory of 2432	2032	779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\779ffe0fb2afe5c098074a1366dddb235e4d8c0be63ae3e38a62fa46bf3aec14_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\AdobeHM\devoptisys.exe
  C:\AdobeHM\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxR6\dobxloc.exe

Filesize
8KB

MD5
18f9e5889b79178d8757b18c8d1b67d3

SHA1
e70ee94d53ceba1eacdea91d5af71a2203f08ea9

SHA256
187f66f9d8a67e69a32c5d0631666f1a7594d1207f37d94d421023d225ed6c14

SHA512
b64bd79cae188097cc91a99887efef58804ba8948745a6bba8e365bf023d7c107be2433b4b8f12720994b00e45c51902ddb1a9042db65adc85c64fea360b76f2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
fe31b7e863a8a01718cbe542a3452789

SHA1
d232439be93f69031eca77453daad9688743d8e5

SHA256
8ce5eec4a2bc84e279189ac7d2691f008aac10b35a41cd6b8f011e8f1a04c3ca

SHA512
12f8156aa8febbdc98100ce8376c5c52f5accbea635e89fa0f194cd00991086bccfffa0e0897301dc30857bdf30b9447b4acc5c98a90940cd2c91698e0e7fb7e

Download Submit
\AdobeHM\devoptisys.exe

Filesize
2.7MB

MD5
c25b4d2025fd937e5b81f896f6ad2bc0

SHA1
01514c8f75ba05d998981b302c9cb27a466b60b4

SHA256
da7c3c0e73bedae94c35e0b9bce7eac6395aba6047816cd087a3147f82db257d

SHA512
d0f8d78b4d2b2aa0b4efc3f1a11ae6fc4970a431b870ae759e945d9a56bd8c5da10ae46151d30fb667cb0dfc3227efefb5fa9537f2a07ad167225821b03c2fec

Download Submit