9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
Size

2.7MB
MD5

3c1d794e0781dc0e550937f3706b6680
SHA1

42d1ec252ce6ef04a354222349b5d43f20ea09d3
SHA256

9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7
SHA512

cbf93304907ee1f7b0440bcf00d61464fbcd22829215b178f1ba9699e5e028beed6629a745d3cf2d76e4af844406ef467cb7d819793ccaf24a53502a3de0b66d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4S+:+R0pI/IQlUoMPdmpSpO4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2296	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZ2\\devoptiec.exe"	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUT\\boddevloc.exe"	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
2296	devoptiec.exe
2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2296	2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe	28
PID 2804 wrote to memory of 2296	2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe	28
PID 2804 wrote to memory of 2296	2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe	28
PID 2804 wrote to memory of 2296	2804	9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9190d3f48fcad2bf7ada820bda18a0c06e2ae909c8eec1d48dd8ccb7641b7ce7_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\UserDotZ2\devoptiec.exe
  C:\UserDotZ2\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBUT\boddevloc.exe

Filesize
2.7MB

MD5
1fa580896f8db4f104767a1154f840c0

SHA1
183f7bf1b38f197a817ca1de1ecee637c165ba89

SHA256
863fa31f5607a3a3bf51815c6f591d3fc494c3dda932a1dd32da2bd654172bea

SHA512
04ed51852f0c0a3374fc3f9380be01f208a16335ea210c896d4bf7569288815de21737772f820013bfb7a0b093c98c8df524c422af53aa6fde29f2dda0aac2c9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
8f88935ece49c975e83ace3bcf945fa5

SHA1
d784a39d5996c63a8da169335b9a44c65345918a

SHA256
91fa11b0475cc836c90cacf82b9eee29de251e824e47e096a92312f35a0117b7

SHA512
00366a1071bb9e9b0e2584946b7fe83c24712b94d442ceb9b29b52f41b18e44b03d962234130e438925f83ce7286ad64ff3b3b3146593b916339c95905f9eb03

Download Submit
\UserDotZ2\devoptiec.exe

Filesize
2.7MB

MD5
3a332c3019956783b943b11b0536bc88

SHA1
9f5b7f645a87f461bd33daefa657613cbdec6f7f

SHA256
38dc48f39985db0f57f237bd6043acdd5e8384908b154b9f62eb5a4438b3d8f0

SHA512
1f40a5cae6f7bb7cb45e7940fbd30a1a857ae147a18bff43ce4dcb71f0f8a0cccb15cc422411e1789812f7feb8991909df55ee91ad91baba8a9a835ae7ea9369

Download Submit