f388cf7c61fd87640270d2155a29897e790712d731f68e0330442e1d3aeb4e00

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
Size

4.1MB
MD5

ac306205086202cde216c82e093eea40
SHA1

df1a8dd2094ff52ce763b6ccec976fd05ded5c9e
SHA256

f388cf7c61fd87640270d2155a29897e790712d731f68e0330442e1d3aeb4e00
SHA512

d79fd312d670f0143ff9878841a048e900ba07a1bb584c21a90e61fbb46a955b357dca71eab6fe6a0081b3d722df3d557e168e3932410151fa6b1b05f1f283d7
SSDEEP

98304:+R0pI/IQlUoMPdmpSp54ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmC5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
904	abodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6N\\abodec.exe"	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1T\\dobdevsys.exe"	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
904	abodec.exe
2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 904	2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 904	2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 904	2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 904	2364	ac306205086202cde216c82e093eea40_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\ac306205086202cde216c82e093eea40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ac306205086202cde216c82e093eea40_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\UserDot6N\abodec.exe
  C:\UserDot6N\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax1T\dobdevsys.exe

Filesize
4.1MB

MD5
3c2ce672774aacfad45ee1d33e698ded

SHA1
57a7307b12aa104d6aed3466cd024e47cf236165

SHA256
9f9bb850ab1c8719535c044c50ec378c7a90850ef339d751f021e9f985ad5072

SHA512
181b403fe736846ba3b30bdcdb6d07a34fbcd9811e21fc80facfd645d6d74f38bd6af0fcc91af1090e64a6647d525a5f33a18c43330259747843bc3ab3c8ba02

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
58b110de6aea6f799e31d6b8144b4600

SHA1
65ce1c653860ec20fcb3a2559581e85ff79fa966

SHA256
a967c88db1ae1a6161660c51210743aa769ce2c308402d6fab148e4989f09bc5

SHA512
e7f3251f1bfdddad959651ea3a76b37fe2a24ab63015cc7c8a09f6722014b002f160276ab8e72d67810cd08988a186b0c9e0be2ce9a67974b695b10789d947a3

Download Submit
\UserDot6N\abodec.exe

Filesize
4.1MB

MD5
92fe4eceef28ddec20310aa5421d4012

SHA1
a66582bde9255c6425400f24a2a5601061411e6d

SHA256
5830e494c8a6f1c5b4f67e126fe1372bf368f3dab25d9a6596786b7dd6724130

SHA512
8bc6a4d45dee56ced1afad629fc05123c9482498bb1cdfa0159359a4dd13b534e0beb10bf0480ebc3323d6d6787b3b0bb22d084939fd1c995df9e9eea91f0f88

Download Submit