6b1ea8c341f2aad73717dca0ac0bd0e352e6ce25ec2234eac67c977e12d99ab3

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 08:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
Size

2.7MB
MD5

a99156645ab4b7da9c550f2d62e1b520
SHA1

70a239ff2ae6f540d59961fdeaa50900f880f8ff
SHA256

6b1ea8c341f2aad73717dca0ac0bd0e352e6ce25ec2234eac67c977e12d99ab3
SHA512

dadb1cbd744881c769b04e976793040a389bfd7b820c8e023ae40950349425bd49583cfca748dcfbe15e25e0475403568b7098987642758dc3163b0478eae2ad
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4Sx:+R0pI/IQlUoMPdmpSpZ4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2320	abodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZV\\abodsys.exe"	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWE\\dobaec.exe"	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
2320	abodsys.exe
1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2320	1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 2320	1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 2320	1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 2320	1924	a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a99156645ab4b7da9c550f2d62e1b520_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924
- C:\SysDrvZV\abodsys.exe
  C:\SysDrvZV\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBWE\dobaec.exe

Filesize
9KB

MD5
676d55289ebe3b95f7296c256f4e82c2

SHA1
e60fbfe20f6dd5e273a0227788c9737ab9d0dc40

SHA256
4867ed928df39dede7eab002d04b85c682bda0ce96a32a6a33727628533d99db

SHA512
f22d87cd5f6b42194b6e873536fa1708a76308c650bbac952cbbe2e1ff6d7ec7e3dd9d2fc548fcde369b32f35c3cf65558db74c57f1b0e0b1ffa1edffbb007db

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
76027e1a8012c876aa53a45924405efb

SHA1
d776a6eff88cdb46e4f341b7db5534101689e993

SHA256
260e007246a33fbc74cb5580f0cbc5dba0a4a36ff60b70dc9225a654c57b425b

SHA512
c5b0509bbaf311d0dd2f2127fa74b41f6a89d64d5e2b118813a1bfd895026f20e3d8b0acde44716be8ed17ae1feefa207df5c76d6681399de9484f06ce97c241

Download Submit
\SysDrvZV\abodsys.exe

Filesize
2.7MB

MD5
892c0206ed80f817a846d57dec6c1279

SHA1
ba6db96efbbc12a6e4a1702d3ce47d8ceefdb206

SHA256
5ab35354f4eaea66a29ccd308777c1ee8d006ed42805f4c47e115aadf464ca46

SHA512
745598a69db12dded6fb3be003eda228ae425dff262af02863e982911dd800cefe35afd937f188ed1fda34c3bcb2011dd3d8514d2f5d1a8fb58bc6e18c380e18

Download Submit