773d9f3843f0e8662983cf3d498705f24492ebfebe627bb0c3306b484a387af3

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
Size

2.7MB
MD5

1ff6f59bfc876171a3dede8c6a1468d0
SHA1

36b7e0a8747c88d0cca859c24169e160941700cc
SHA256

773d9f3843f0e8662983cf3d498705f24492ebfebe627bb0c3306b484a387af3
SHA512

2b0bf9ff7ce3a9a9ef6596fd8dcfaec98aa09072f5240872ee2c975c6bbba20bcd40020fd41b9683a3a237fddc2a93bb810210aa36cb69c52724b1a5233e1da1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1688	abodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc27\\abodec.exe"	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZA1\\optixec.exe"	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
1688	abodec.exe
2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1688	2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe	28
PID 2044 wrote to memory of 1688	2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe	28
PID 2044 wrote to memory of 1688	2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe	28
PID 2044 wrote to memory of 1688	2044	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Intelproc27\abodec.exe
  C:\Intelproc27\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZA1\optixec.exe

Filesize
2.7MB

MD5
052d1b41634bc89e20e5f620b7498088

SHA1
3d70b7d73cf7ff562b55d37167b238a0af3e7190

SHA256
accb60bb5fece88250fc0b70c9cb3ceb3d96c9fe4db8c31bc12d3a9e733e8a53

SHA512
2f7fc50abe4354f03761670128391682bc6524851bf94e4c93bcc906280cac12e53612d95420d1f91952e2148e715e4df9c70ca245d87696405bb2f8ba4d69be

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
b549d2d576bc72cdd1c5429ebc883289

SHA1
c41305d6a5d8fee008a6679674c4e39fb2f3b6d5

SHA256
dd3b27ca54329127a9d06b22550116db2d6d181c32dcceeb7069d128e56bafec

SHA512
cdf7e48de9d8904f84750ab0c30f3bb96b32f71b43a1c02b36faecf2b798f6910ce27371ffd37bafa0aeb2b48f5ae158dff3f9361ff53ed7ddc3dd33fc310a3d

Download Submit
\Intelproc27\abodec.exe

Filesize
2.7MB

MD5
2e1216b3fc3223b6b304f66e79e6b8bd

SHA1
2281b95fd6ff93541261092a63fb99ff109183a7

SHA256
66566d925e57cb9707994bf6f344b06144dd116263a1b18b1b0dc7c03c1efde6

SHA512
ebcd9407d7434f508102ab5bd6f2b278257de94a947af6435fedd5a1f049dd82975f3638ec350f9e0b595d872f748996a60a5e3368e204e623ba054ded4c386d

Download Submit