4435fe9487982f3a859f218196182c22d409185ae4a25ccce3fb1ab4c40632c0

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
Size

2.7MB
MD5

446bf0565c0507f9f62cb98f193e7990
SHA1

94ec372c1411146d091a32497bfb48592705b4ee
SHA256

4435fe9487982f3a859f218196182c22d409185ae4a25ccce3fb1ab4c40632c0
SHA512

d0f3558b264271d1f5aeb5f2b91092756d0d306d58bd2b62cf96c2ad5628cd67993eca4fb0afbffe90e46b574c7b25e5880fa7454072012463a2e75026ec62f3
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpH4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4036	abodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv3M\\abodsys.exe"	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxFW\\bodxec.exe"	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
4036	abodsys.exe
4036	abodsys.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 4036	1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe	88
PID 1172 wrote to memory of 4036	1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe	88
PID 1172 wrote to memory of 4036	1172	446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\446bf0565c0507f9f62cb98f193e7990_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172
- C:\SysDrv3M\abodsys.exe
  C:\SysDrv3M\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxFW\bodxec.exe

Filesize
4KB

MD5
8eb2b86d56c013adbcd0b59d7e011880

SHA1
9b7f8fbb657667bab646452f48a1348653e81d45

SHA256
51d699bdd3b8d14f372ba605ae8f322f9959039c6c6b29c39093d7fc670bb4cf

SHA512
3a426dc07f6f46f499b36769e2137da9d589f16bd4cdfbbe6b28b02e5e4adb04cdfb8a021f5e2591100e81c24f3e87ef8f767c5736721391fb8906ce287ae05d

Download Submit
C:\SysDrv3M\abodsys.exe

Filesize
2.7MB

MD5
81f6e894e020e5f5375495444183cd54

SHA1
fa7ac7ceebfb4a50d1bc14dfb68248e6fbb72604

SHA256
92a53e24acc36f8b66b3b74078dabf99faa0987852494d7db97c1d80375b9c5d

SHA512
1f27c6cd8b29e80a36df9cb43688ac7d0ffe99ffacb8c4c5de2ab2a8b360dcc6678923e2c7eaf9f2ce02f39036af5f4e041e8d904734c81cbc059a5dae711e43

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
f24e9a43b2125b9ae3a34a72d2a3275d

SHA1
b5b19d6d34653c91acae06d2e8698658e9fc453e

SHA256
1492525748911736eeb1613459449c6a4d651a16c7a4c7022241a1e54838cee3

SHA512
5318242a2a2e7ede4f6a3cc0a0679af6c5ec3a6118ab068bacc4afc12dd0f76023be77dbac6ad145e6687f76eaf024fc6fad78b5cdc8151a6d94e08191af61f4

Download Submit