504818bec2f01dd9d6cf2b70b3c8261f71213e086fe353f4c4ba415ce0e24b36

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
Size

2.7MB
MD5

1484455779f4539a1990e88c931d6d30
SHA1

189a77c19cfc6e0f7d2aefec2e41574411bb3055
SHA256

504818bec2f01dd9d6cf2b70b3c8261f71213e086fe353f4c4ba415ce0e24b36
SHA512

1637ec39b66f8ecdda646d1a637278ff0875f0bd3eb572ed7bbdda2d5323bb2ce7247620e75bf6318f876597d740aecbe506a5e438c225867e9df6bfea6577d5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBg9w4Sx:+R0pI/IQlUoMPdmpSpy4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1296	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc32\\adobloc.exe"	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8X\\boddevloc.exe"	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
1296	adobloc.exe
2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1296	2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 1296	2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 1296	2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe	28
PID 2300 wrote to memory of 1296	2300	1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1484455779f4539a1990e88c931d6d30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Intelproc32\adobloc.exe
  C:\Intelproc32\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
7df4bead200bf0acd985ae7f463a6453

SHA1
07602005f0a8485af1d40be5a2fbd7112783cdd8

SHA256
fb1ea9ae083fa64258c20f652531943c1b5e3260a4846e7650d3bf85ca6e4243

SHA512
92590c6906227c8e9a505b470c3778b63e47fc0e4a93e4a46b5c082c046d779b8a296b8b37c45202aab47b18c75c8663241dcf0ee7992458cd8f2a7de68e8e3a

Download Submit
C:\Vid8X\boddevloc.exe

Filesize
2.7MB

MD5
56ec9082c0c59ba6d6d1a7d49aca8103

SHA1
8b2c00b4caa7d4029af2bf11a2db90f2d5ec1370

SHA256
6293018d26988f6e9cdf77634110d5ea5f043c819a27415a46d29462984ae524

SHA512
2703c3738f8a5e209ccd921171a43e7dbf531d9102982b3522e0213d9576f24c81821f699b6ff1f9e3793be828da51dc254da677ad36f9090f9c09a9a30c0932

Download Submit
\Intelproc32\adobloc.exe

Filesize
2.7MB

MD5
1cc7370618575eb5676f3f1cb3b07336

SHA1
cb62659a504b95e6c8215fde4f63c2ab3d7deaae

SHA256
3884b674886a80f8a9eb36286007f9fca8ba3ccfe7b8394f9d0c5aedfa47312d

SHA512
76e73cee7bf6e8039de32f84f311e2799de37d2d74f8a700c9f71e4d81beb3c8b4b1e65c7a798bc2ea373e09813a8aaf86cb963d2731693cbd0a36bc62ccd0e7

Download Submit