a2043acd88278fa995b4452dfcc3f25f5e19c01d6106c850a69b1cc6ff650df9

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
Size

4.1MB
MD5

b1a6b0106fba3812ff3223ccb4049290
SHA1

833b7c497d9b0c700258f8508b38a69eb722ea7e
SHA256

a2043acd88278fa995b4452dfcc3f25f5e19c01d6106c850a69b1cc6ff650df9
SHA512

fbfd5201ed3c68c410b9197e207f2b60c343d3dc781358d3ff000908256747062cdd8a5a6bdba51dd299b86ba151f6b0c9dbda7b3b9bc02a43279eb1610d849a
SSDEEP

98304:+R0pI/IQlUoMPdmpSpc4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmb5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3708	abodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJ6\\optixsys.exe"	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesE4\\abodsys.exe"	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
3708	abodsys.exe
3708	abodsys.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 3708	1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe	92
PID 1196 wrote to memory of 3708	1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe	92
PID 1196 wrote to memory of 3708	1196	b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe	92

C:\Users\Admin\AppData\Local\Temp\b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b1a6b0106fba3812ff3223ccb4049290_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\FilesE4\abodsys.exe
  C:\FilesE4\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesE4\abodsys.exe

Filesize
4.1MB

MD5
ca47a9965de070b448cee6935fdbcd97

SHA1
595ea1de755301dbda345e320d84d25b12fdb4a3

SHA256
e875e7b489fca2019f5657bd1cf13729b6bd60c76fd6cabad20878a78d55e3db

SHA512
18fd37067b5c901f25a3f91e33afd0e58b2aaaac49d5177801bfdfcbf210030f41b02f477d00a96b6277ea1e3ba57cf76252a3ad576e39228c8de6552aa7962a

Download Submit
C:\GalaxJ6\optixsys.exe

Filesize
4.1MB

MD5
2e8a1d483f2f7520a8ac57bb56e4c76a

SHA1
31aada3bf13be62eb1ba99c938695f0895cd1564

SHA256
2241562ef95c2b39ab2dc538269bedea391d380097ad2d2095f86134595f81a7

SHA512
50be953c25139b1c88053fe70573900f494a7689f23329f414ad61e6dfaf91e01456b19cd9dea5324cfd2b87b441ca7162db7c04466570ea8f142e4595c8f1cd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b43d572888856b902d63f52186022c32

SHA1
48c175bf0073dc53b631328441d3b972c2673e19

SHA256
359b0ddb644dfd9085b9ad4f1cff040053d94ddedd32a11731b31f18d49e73b3

SHA512
7970841c040bbc778e428bb81bd9ffa2361e7bf893a69199b6265c87f4844f9f6b0dd590bed7d2126e079f37cc19a8262a158a6f683fa82d1cbbde837422b700

Download Submit