fe24b0c7bd91b01d1ad3f792a37b6c0835ec2b2b6a3ceaf75a905fd23ab1cbef

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
Size

2.7MB
MD5

1fe374e4ae88310e49c8e4bf25871750
SHA1

f5feb114586104206e0cf215bdc03426cf7a7a0d
SHA256

fe24b0c7bd91b01d1ad3f792a37b6c0835ec2b2b6a3ceaf75a905fd23ab1cbef
SHA512

3e350628cdddedb9345baa4ce061c96943f19e0379aa2939dd86043e9751ea8fea73182eec322ef7bb6b5443cb9aaa1d4362007407f01c7d78e5e1dd03772754
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4136	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintO4\\dobdevsys.exe"	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1M\\adobec.exe"	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
4136	adobec.exe
4136	adobec.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4136	1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe	88
PID 1856 wrote to memory of 4136	1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe	88
PID 1856 wrote to memory of 4136	1856	1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1fe374e4ae88310e49c8e4bf25871750_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Adobe1M\adobec.exe
  C:\Adobe1M\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe1M\adobec.exe

Filesize
2.7MB

MD5
f015abd97f97dc0541e39031162f07e1

SHA1
296f63e91c0c1c5287589c77654dd83b60eb0ea1

SHA256
6db705a46e06d63950460dd7c423a46ec3c6d03efb5c385213d26c87d271c83e

SHA512
b3435e304057b7df44e72ff715f7991eb9bb5b71d56d08145aabb6915e77db9a5b3a2efb9d405982a5c67dbcf0285afc18d36d68fed875e4800a48a5fc572572

Download Submit
C:\MintO4\dobdevsys.exe

Filesize
341KB

MD5
ef67fc79f3555472d26f12b70c839b0f

SHA1
22eb3d082ea30d8369d13b85af03cf45c3fb0e19

SHA256
05ffbeea6fbc275c3778205b276eddad1287053a893b41beba9627e55f3882c9

SHA512
78a4dcd99d4e76baa1566f0698fd486346b64009bb752b5eb9b22507f2edb4eedb0eca4ced841cd43ce7a978a0c9e7f420c0a756d412285dc3825c6b3089ff56

Download Submit
C:\MintO4\dobdevsys.exe

Filesize
2.7MB

MD5
716555899873c912312acfa1cadcb274

SHA1
915b43f5c2652d5e8222e0a29a2b6354c54a678c

SHA256
8ae7c5506b62970277e466392072b3de9488db03686f80143cb470df0fd971e8

SHA512
712d729c3299aecc7a47621da3e8253a80f01a6fe34af6965c02eef392d212d9a65d5b8c576faa86ef7aae0716752541552068421b92626cff5f482e79d52013

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
55d0bd90a9d15168657c9aef27d3186c

SHA1
b3c11c400495404c481f746eadb0960f42c24b78

SHA256
2ede7c603d40c0967735c8cd96242538a0454d791dfb3bfc770b2cb175c4d83e

SHA512
d204695ef8f99903d7d34aa5698c30f5b06b2e551d7157ab6077145f21f73e7f828af38b8c75153eeb267a4642ac9b6a28030be1d7f8eafabcb2ce4443b755ff

Download Submit