bb5a4edf68915986c7e8c9446893ab58e66cbb64e33408622329327fda543e76

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 14:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
Size

2.7MB
MD5

24265be61ea2debf472c9b95e1c78390
SHA1

3232b69a629adb7c931b54c8538e06d4f06f138a
SHA256

bb5a4edf68915986c7e8c9446893ab58e66cbb64e33408622329327fda543e76
SHA512

d3282dcb84314d107ed1f3947162b61125168933736062b3d0b47096136920647842633b8102e6beb132a8bc5dc3179aa471554ed15216dcc37ab4f584c2b831
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSp44

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
644	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIQ\\xdobloc.exe"	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJC\\dobdevloc.exe"	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
644	xdobloc.exe
644	xdobloc.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 644	4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe	87
PID 4524 wrote to memory of 644	4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe	87
PID 4524 wrote to memory of 644	4524	24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\24265be61ea2debf472c9b95e1c78390_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4524
- C:\AdobeIQ\xdobloc.exe
  C:\AdobeIQ\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeIQ\xdobloc.exe

Filesize
2.7MB

MD5
86537e45920253b7d01130571d974ce9

SHA1
f3a37907ef1e87798339385570fb60b4e2d2dd55

SHA256
1e88e38db263bd7331d276205049489bcd9690858b80183c7fb9bc896b94ddb0

SHA512
21cc5e8fb155423c65212e04b3595ddccb1109bf5cffd3ca8ac86d001cfe5c83020c5f5d0794a9b67d6bef8579d534318a789d4b22c1a55ca22880d5b708637e

Download Submit
C:\LabZJC\dobdevloc.exe

Filesize
621KB

MD5
7835b01418d0996e7db7473614ad41fa

SHA1
35a32b0a589a14b50eef62a242035bd6081c5692

SHA256
062095d493b79f5077e16be83072bb44f3326da83878ca5fe265e2e80b25a734

SHA512
132f6a72086589c015b3840c7d90ddc9762ce8e556da9afaf79a8604b2e8190151056e4587d0abc3a8d90b2a244c340cb7a568430b7e066375037e3ddd1846d4

Download Submit
C:\LabZJC\dobdevloc.exe

Filesize
2.7MB

MD5
e53faa18c89ae98e707ff685f0c08507

SHA1
0e6e66bce0f15cc46b73b9e98b41100e6bdd5dd3

SHA256
aaace497fdeaf2f337511202dbc9c372b6d66c19d0d49da5f77b59c003feb358

SHA512
4de6a82239738027445c071f00acaa6b732498865247f97dc494bc65e144ae2636cee581f16cf3fd05a7b1611d8a37eca267330ef03fd39964c8f3d4cabcf66b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
8cedb063ea492be3fff8752e5a230078

SHA1
de6e7d04cd9dd785621417f944c54a867c47b1fe

SHA256
9cf3aca9a2d9e13b236847d195b411159d7eb4895c2a654754fdad66fe19c473

SHA512
c013c0e49c2a52eebb8790d4779f36e972f630cf2771fb677e8bf5b3602445fc3805da8685f071fd64d9839fe370c88d317bc69d70b59cbb25fb1fb7ab6acab1

Download Submit