9eb48d2715d4a2e4f8d8bebc186bb9fce9ba4afd62f53e994e6658e0d604f476

Analysis

max time kernel
149s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
Size

2.7MB
MD5

911b776b62705800574c440e802f0b60
SHA1

e2b260ec498f433f59f30e94776eb15d72f5681e
SHA256

9eb48d2715d4a2e4f8d8bebc186bb9fce9ba4afd62f53e994e6658e0d604f476
SHA512

83db847fd2b66358bfc9a8794ef9fa1788ae5480dc0421bd3d399b5abc3962df028024a753a4098990f524793019b4469a41c54c64516b458923571915565392
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpa4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2928	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotR3\\adobec.exe"	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLM\\dobdevsys.exe"	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
2928	adobec.exe
2928	adobec.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2928	1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe	89
PID 1536 wrote to memory of 2928	1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe	89
PID 1536 wrote to memory of 2928	1536	911b776b62705800574c440e802f0b60_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\911b776b62705800574c440e802f0b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\911b776b62705800574c440e802f0b60_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536
- C:\UserDotR3\adobec.exe
  C:\UserDotR3\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZLM\dobdevsys.exe

Filesize
2.7MB

MD5
a25ef7476925917a20dec97a705fe7f5

SHA1
a8a464c55a0a076aef4d027d38603ef034488df1

SHA256
2fba39a39fd91f8b588e147d6ac63c47f1f503181381052384b6e974d508b47c

SHA512
f7c14cf157dd80e6cd9aafc8f65a76eb4e4b7fd54581e60d6517cf4fd8375ff92181da8a00356f6970d8d902cfea0d4b245c3e8d74608c4e0d2d39e055cbeb77

Download Submit
C:\UserDotR3\adobec.exe

Filesize
2.7MB

MD5
2403903f842020f1614a3b884344ef39

SHA1
880350aa42a43a7ef9e3fc485a1fecaab960e81e

SHA256
a2728c9f01a02b2d446bbcaff4f5e523983b80fa6c12373c552aa105d7129540

SHA512
97010045e9fd9fb7b6c62b461f2e8cb225d56552bde101f10b31579fa90573eb4df7c20dce36d732cf39fb2f7252207e1345fce7ec246a395e5d88912d033ded

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
0d4535532e84225d0616677fc6e654bb

SHA1
ca081cb2da4b4135e5c254554dd1764f018ffa13

SHA256
4fd67675434b80b5af020f25494934ae820588ff1369ebc2568d38d0484d63b5

SHA512
6a205dd2866b835ca7f5f2760e2a677078725e2c04ebed44beea8f07a7f7b2cfd7557a39b0af2882496937a1740dbf880e8d55b8058cc59123958655f668b5d8

Download Submit