70977ea5e726722dc03557cc8a7a1a52c9071421b53adadd3b0979a1b697963b

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 22:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
Size

2.7MB
MD5

34e29abe6171e31f0c6a54dbd241a280
SHA1

9896ff3a7dddf4e713ec9dd0fbcc367be0b6bee0
SHA256

70977ea5e726722dc03557cc8a7a1a52c9071421b53adadd3b0979a1b697963b
SHA512

5058b6d41e1923853dfd0cd74f51d534633fb52fb7315cc9740cae44f97fd5752504a6e157d0863068a201e5c71afc13dcaecefc1d10a538be6f43648e512fbb
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4Sx:+R0pI/IQlUoMPdmpSpt4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1372	abodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7V\\abodec.exe"	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFS\\dobdevsys.exe"	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
1372	abodec.exe
1372	abodec.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 1372	3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe	84
PID 3524 wrote to memory of 1372	3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe	84
PID 3524 wrote to memory of 1372	3524	34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34e29abe6171e31f0c6a54dbd241a280_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Adobe7V\abodec.exe
  C:\Adobe7V\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7V\abodec.exe

Filesize
2.7MB

MD5
b49a17008803061f816d027b40ceef59

SHA1
02306db4226f87a41b3ae80bc94e1cce8218c213

SHA256
5b4d961f63216ee74ffe74bae6e1528de978ed0a762a99b75b0685a5c49248e4

SHA512
e7f63ff1b7f0128e9a3ff0650f91d5696265e9c8faba4bcd2cf203503287bca55a23ba159a29a5ed56623305129452e363dcbb5c40faea858b1aae4f394e656c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
cf2da03e84a0484d4573fe1d93f7ca05

SHA1
92f460b00ab982e910e9a472875051184004cc3b

SHA256
f80623dcb7a1d9d346ed5529e86127d28cb33def757ac204214afdf0dd97548a

SHA512
d1c085342bdaec09f220aa7eec037a88c223df8e044a0c7116246d48bd920c2b745b1eca916e10774f6e814e86bbc195540bf5ece841eab1c51a9615cb05751b

Download Submit
C:\VidFS\dobdevsys.exe

Filesize
415KB

MD5
8a715c2a9b12e6421fb12ba9ef324a8e

SHA1
e9d7d71d16e72238c9bb3528b284b543e79afd9c

SHA256
bd18c07d77ba1a4aca7424d13b0d7d38d4f20be87df621ff2217ce68e3ba44e6

SHA512
7b963d5b907ad9765950cf0a1baebef35ffc69cdebf78283c5417d0b2913c1774d5a960344a69d3f0228dc413b6fc4dce39723ba35ab39e88700071821a4a80c

Download Submit
C:\VidFS\dobdevsys.exe

Filesize
2.7MB

MD5
06165e8939937e6172d8024da5738b2f

SHA1
0dc8e74de1c68f131e8e56b51be97e1012cd4e7e

SHA256
48796251b08238f11eb96955c360c52155a71eff277e3b25f10d5ea1c35ed8bd

SHA512
de8943022be78d8854af4e6f48d26b7270300d90ca7570b27a01c5758654d9bc74384c86e2492a047d948b5eb4459b2c3e96055ca7d3f30bdd637c325656fadc

Download Submit