67dc121b8bbb8c038568eb17a838c3b4ea2b00fd256ade810c7824bc0307d354

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 09:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
Size

3.7MB
MD5

bb1026e0eb1bf7c899184931bbb8fc80
SHA1

e25bf1355b9cfd5bd97ffe3be1a39f666733fad7
SHA256

67dc121b8bbb8c038568eb17a838c3b4ea2b00fd256ade810c7824bc0307d354
SHA512

8a05b89bd86603b580522f66898b1ce249ba3bbfb9c5c65ca7002c18ce8c01f7e9629984722a65f377427800bc42f19976ee69d01c22c6c768e40a20d20e7558
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6:+R0pIAQhMPdmQ5n9klR

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2320	abodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSU\\abodloc.exe"	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2C\\optidevsys.exe"	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin$ 88)<)$7)516\$1+:7;7.<$16,7?;$<):<�-6=$:7\:)5;$<):<=8$locxbod.exe	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
File created	C:\Users\Admin$ 88)<)$7)516\$1+:7;7.<$16,7?;$<):<�-6=$:7\:)5;$<):<=8$locxbod.exe	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
2320	abodloc.exe
836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2320	836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe	28
PID 836 wrote to memory of 2320	836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe	28
PID 836 wrote to memory of 2320	836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe	28
PID 836 wrote to memory of 2320	836	bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bb1026e0eb1bf7c899184931bbb8fc80_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836
- C:\AdobeSU\abodloc.exe
  C:\AdobeSU\abodloc.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeSU\abodloc.exe

Filesize
3.7MB

MD5
d89d740d09ee2d106dfafa0220b021fb

SHA1
44d9b7beb5aef4f9cecce95f35a3da263e332c00

SHA256
5f57422192dece2e9a0c7dcf30871f6f782caa9dd150ffb901f77e2c58268ec8

SHA512
f6b6b12e321ffa0aaea26c434e32e004e0a42fdef65910593958ed7cb03a8c2d646d3349a8bfb1049ca81f8a07d5ba4914a4e2265e993e8ff389af9eb2a10088

Download Submit
C:\KaVB2C\optidevsys.exe

Filesize
3.7MB

MD5
a8a575103e3a7e792022e19028e41573

SHA1
59a54a92ddd829b3659a7a9ceff9c89a8d879eee

SHA256
e0641bbc4270a884414e0bb4f6d601aeb5cb71fc1afea40b9bb1988448435ace

SHA512
90f4593b729617662e426826a61e7eb450e46ba0adf7080d312bf3be0a67d30932eeda308a70a612920d3c0d25a6dbd79a0e4d5b3dbe59dca3a7ceb886c4528f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
e7405a14f8fe124907d3505cf597e1e8

SHA1
95b9b32578ccca920233111db583b323dcb6c346

SHA256
d9433700ec855b4cd12925644fa3bcc206a6fdacd206804e861aa2c3597c4d24

SHA512
cf6d1eb872cd0afcdf44f266fe3c6dc646f35826a20dfa2f18717d5a8b335019f66ec792284613aaeed5f792219ae528fc4b1910d9e1f98bb485402da30b2e32

Download Submit