74b548dd0d1484609f4d9dfda256d350bb17e210136e1a3032cabc34d1d4247f

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
Size

2.7MB
MD5

28044d9ddcca4c99b887d3af019dcb20
SHA1

25191bae37815e797b9d35f01a5ac7ed8d43235a
SHA256

74b548dd0d1484609f4d9dfda256d350bb17e210136e1a3032cabc34d1d4247f
SHA512

54b7c3dbac33ae5aad23acee34a4ded385006cfeddc83993473b77c5e2eabba3b1330c1d8d1095249a8cf785e046fa9e3867fafa021d93864686737a75b7319c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBw9w4Sx:+R0pI/IQlUoMPdmpSpy4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4812	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWE\\xdobsys.exe"	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZ2\\optixec.exe"	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4812	xdobsys.exe
4812	xdobsys.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4812	4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe	90
PID 4708 wrote to memory of 4812	4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe	90
PID 4708 wrote to memory of 4812	4708	28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28044d9ddcca4c99b887d3af019dcb20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708
- C:\AdobeWE\xdobsys.exe
  C:\AdobeWE\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeWE\xdobsys.exe

Filesize
2.7MB

MD5
a3608a54ffd33a0cc07e5b533c0e8679

SHA1
27b7c824a241e9443ddab8bf0c58919d452574c3

SHA256
3a8e60735450ad423670088b36c11e41e57d9bd3e4440070c660794400fde6c1

SHA512
f7d0ae7cf97ef00b66aadebc52d32ac2be72fadefe263190458d18183afaf8c317a8fd44042cd1e9bb9c98a0cb885b0e33353f4c4f70ef1eafed2798359e6fae

Download Submit
C:\KaVBZ2\optixec.exe

Filesize
2.7MB

MD5
92ef6e1e4461feeea5c136a016d554c0

SHA1
3487126273ae5853024005322a8035a650592d74

SHA256
676f422ab5da1267755443ceeaac797563288ea752ee3c833caece3e0199ae14

SHA512
2f34415894150408074e497f27e19ae0aed4131c4ade5eb2f4b4d733a4e86dd8cd0ef99f5c37aed001014c253890698b3a61a0ec7d0d96c6cc4cf124f5f86662

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
41143004043455d590bcc7137bf56ff8

SHA1
46e3a4f419a981588188f12ba23e2080a91f480d

SHA256
3bcc4d9a7917d497052e095432eb2c02f81943b8d63bca2b25080397e689fbef

SHA512
61b2540f7cad9196633ad6ffa60360c77816059659d64ce47c1e626cffe45ed9f164de4cf24ce8fca51353a412621a046f66a2368166e281f7c0f72c978c9195

Download Submit