088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 05:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
Size

4.1MB
MD5

aa4be06645298e59ceb2e8778acc1b50
SHA1

546727ef5b4ae0f141a48b2f926d60ec1b47800c
SHA256

088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57
SHA512

cfcce156c00eafc1d323838675940dc0650bde73e638130ce5227ed2d3908fde5b016a8f6fa986a76fdaeb0806dd79f32dbbdd85f2090d1927cfdff090a5b7a8
SSDEEP

98304:+R0pI/IQlUoMPdmpSp+4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmx5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2356	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZD\\adobloc.exe"	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB23\\bodasys.exe"	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
2356	adobloc.exe
1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2356	1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2356	1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2356	1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2356	1736	088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\088bfb200b5562f22e2a0504882e79303e02f41ac00181e464615f1109f09a57_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736
- C:\SysDrvZD\adobloc.exe
  C:\SysDrvZD\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB23\bodasys.exe

Filesize
4.1MB

MD5
38ab79a385bad048472dc9f8e381ff35

SHA1
fe05781f500732fcfb506e2828d00fe67b82c62c

SHA256
b68d98a18ebc67ee69e6e9218d92fa1d20111af779467752cebcddd1c12b6196

SHA512
84ef1f836fe917b5807c725298fb6515cd3ac948a9d3671dbe469b41f4e8bbf7c57e99ce74516024619b137a41ee37c0682ebd48055392df48cb56c338e8bfba

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
4286be0c8ddfe2cfe63e8d764cc8544c

SHA1
24e53a81aec07b85389b3d7d347d650c0a582309

SHA256
0d818c816a5d27e41172094116fc39afecafaf1372b25e7bee8017a67b7d7469

SHA512
1edaec2ca1bb9f5b0ddd438b8cb1773a6a4a15e539dcd0f8f62a6a884387327cfb453ce9248d783a4ed2eb2f12102e8da82df340ab5e2b19329ec5faf28d02bd

Download Submit
\SysDrvZD\adobloc.exe

Filesize
4.1MB

MD5
c387535c4421768e2ebf0c9ecd942e57

SHA1
29b8a16ae972659cd9b848e8f928bae919161c33

SHA256
9a79c4137e9e5c039c67426595e77851755bbf33d9802803cb69c123c8dafbef

SHA512
8f7babd5bb39209b5c1bc44e0dedcbe577b02313beccd551550498fb44116c72b634d99015a4ffbb1e82e92689ce752f2aeb64033714fa703b2182afc519495e

Download Submit