15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
Size

2.7MB
MD5

27c4e6330dc96c5923b8e206fffbc020
SHA1

bfd4c34631a6a27e4edc59722ae2e1ffdddd762f
SHA256

15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386
SHA512

cecef1f8d0f32ec10b7169ddd0c210aa574eb72bb26cbb2a0972b8bc9470c7ecbb89517058be187369d2df774c1f8bf0eec9d6be44c7fbc88fe09d3c7c122526
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4Sx:+R0pI/IQlUoMPdmpSpx4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3616	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocU9\\devbodec.exe"	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNW\\optiaec.exe"	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
3616	devbodec.exe
3616	devbodec.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 3616	1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe	85
PID 1000 wrote to memory of 3616	1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe	85
PID 1000 wrote to memory of 3616	1000	15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\15be362e2a0779521c57c3ecf675ab6950cfe5d7ed33b377d7631ed35521c386_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000
- C:\IntelprocU9\devbodec.exe
  C:\IntelprocU9\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocU9\devbodec.exe

Filesize
2.7MB

MD5
f714f0c7019bf53ee90a2e13a3f5cf47

SHA1
3916af20c1c9196e042747a0ac545bc2e2614c48

SHA256
57a8df79463cb026f34b3a2f6a06877f09e91c19b2065af5b7da4b10c0f379b7

SHA512
094050ac4058a9ffa51f79dc5968a8df53e1ad2b5b07cf6d1dae61aedfdb3bbce55f744e9d69771fe1b9358b85c18ab5b1f444c0738158b07bc73f157e4fa90e

Download Submit
C:\LabZNW\optiaec.exe

Filesize
22KB

MD5
c2a1eee7e7165aeafe294f576af25052

SHA1
c2cacdff58101f66b2f9005b91f54c2fe05c557e

SHA256
dc0a9aa300c6b268add9d1803c12250444394a8cd052b6378e11149ca2c5f279

SHA512
0a0aef1f47ac33f03a2d9d297bffcf4ebd4fada8ca58b46c1e3964516572e38e1d90a9de87255d5ea7159122efb02fe73c45c77e3398ff9c30113f5c49fbb8a4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
37779f212e7e42da173033a0a0535562

SHA1
0d1827f8ab2aaa41f3c0233bc447f7577682d705

SHA256
c38b66008dd3b70a6db4a54736f8c412049fd22919590a775f01bec2514be09d

SHA512
bbaa9e10b1b39a741c94926609bcb0a3ea021b492bdaa49c0033b46804574c263d4a67ae11239c93d2d3f94ea57dd538841b6aa86a52ff6a1800f98ec226bf62

Download Submit