02ec9b08157a3562672024ad0fd57dc8d47bf3cb083a0eac573e7ffd7455ff3b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
Size

2.7MB
MD5

1a4ea75fab35867a8f68f73fdbe1aad0
SHA1

50b9c6d48652dd8ed7889e0b46b7253f3f074e2f
SHA256

02ec9b08157a3562672024ad0fd57dc8d47bf3cb083a0eac573e7ffd7455ff3b
SHA512

e135812e25aadb0e9cc6123711c4d91db20f93c8e7d52ddb6c9641b5e1e7f9ad88f6d78072d0035778be1e0b522fa056e7022667a96d95ccc8bd4f841da0cf92
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBh9w4Sx:+R0pI/IQlUoMPdmpSpp4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2432	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv66\\adobec.exe"	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax96\\optixloc.exe"	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
2432	adobec.exe
2432	adobec.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 2432	3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe	86
PID 3568 wrote to memory of 2432	3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe	86
PID 3568 wrote to memory of 2432	3568	1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a4ea75fab35867a8f68f73fdbe1aad0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568
- C:\SysDrv66\adobec.exe
  C:\SysDrv66\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax96\optixloc.exe

Filesize
2.7MB

MD5
c6587fbf50466d153609edc2e56b45da

SHA1
21012c4acd3412040530ef9caf7166a6228c3344

SHA256
2167634f6bec341984f444deec7336a42210660da35adf51f2091555189c5aad

SHA512
b96300c0b58f2a029b35c6b93b78d3a6bf20cef3d24abbc7e228e5996317b39ec552110798b51740f23a35ddbd4b2ea807b07dffd23bd15b2efc7d0f66fdba03

Download Submit
C:\SysDrv66\adobec.exe

Filesize
2.7MB

MD5
6f94e4961a6ab491aa801848f3e86b9d

SHA1
cac71ab3f44cf426424ef671c31e0820964c844e

SHA256
c4480e7329c4d529c0ce0cd57af33913dfbb9d86cc91aef1f8b5b8b61894d38d

SHA512
406766788c15994dc6978564b3825f6a172c97d65d47fb1f1b4ddff1a731e7a802797bc786586700cde9e09aa75b2f8562207256c07f14000e04d76206dece68

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
fffbaf85496b35ea17526237e5fe5eec

SHA1
d8b83f15de474ddc9a4d68c00cb2ced1ceba133f

SHA256
084181b54e47542bc1eb3a536f8351b375bdefc83379f0278f7c85607d1e4f6f

SHA512
d54cb5dd0456ea5816d7d829d5ed565611c8a142eb8cfb8bd46715ce1c4f478d9c45053823cab801b925fa0377ba9bf05a8d70cf1a32950ce8738c42852321be

Download Submit