858c89f30b05af1c73729f0336e2d464533937459d01b1a69ee5c95494b34bfd

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 00:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
Size

2.7MB
MD5

3f74ea3638172c3e60bd52b11d464df0
SHA1

ab95ea99167c903caea46011fb467aa6a678103c
SHA256

858c89f30b05af1c73729f0336e2d464533937459d01b1a69ee5c95494b34bfd
SHA512

c4ab53e3297a0378aa62e918b9d2971830a01b3ab396db2a1ff48c20abe3b542026f25a7166b57c84c27aef07f63f3f83d02e30ed6dbc679aba8d4bd9f29e1ce
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBM9w4Sx:+R0pI/IQlUoMPdmpSpi4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUP\\dobxloc.exe"	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocME\\adobloc.exe"	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
2220	adobloc.exe
2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2220	2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe	28
PID 2288 wrote to memory of 2220	2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe	28
PID 2288 wrote to memory of 2220	2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe	28
PID 2288 wrote to memory of 2220	2288	3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f74ea3638172c3e60bd52b11d464df0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288
- C:\IntelprocME\adobloc.exe
  C:\IntelprocME\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
0988ce173a7ce538e9bfac42511f352b

SHA1
7748e5f1e1f3b966bc8613595dd9a4143ebc28ef

SHA256
9df0f11c893eba546df0cce5908fdd8df16c1d6f12e1d562745104f52a9c8e43

SHA512
5c3dc272a235c76d778f1758aaee3c13c224f22abf00114cd94fde84189eb5cb17a2f00e98aa667e53ca04c478b81d395a2a1689a193dff7b9c1539b38bd3843

Download Submit
C:\VidUP\dobxloc.exe

Filesize
2.7MB

MD5
a7beaa15ea672da3830b19b9512cfa55

SHA1
08dfe7e7b15cc03591add0c3ff14cbbab6171979

SHA256
adf5de02a3aa91abc8362d815d196a614b3f52679959482670da71e79ee8c7da

SHA512
3e4094f8e7a111f22904e352e6b77cf3dde5c5fa3ed9d62778cd8bb21f95bad3ef327284ce2a7fff14164e36eedef34063cd33a541a37715428ec173f20b9689

Download Submit
\IntelprocME\adobloc.exe

Filesize
2.7MB

MD5
35787a27815eca8fc60fe3102e4d7e5a

SHA1
126e63a3002b5f2c60a6c4ebba60eb0f1523d67c

SHA256
5a8bcd0d34e4ac4f71cbc6bd06cfe28c4140c95be12020c6806db83a518a0d9c

SHA512
be55813ae0385ec5281fd52c621415b1ae8b3e487c484aabdfd5ad852a129400ef87d04f45624b80a38a6043093ddf4484b7e1d1766e67d1642a5fbaa3788be1

Download Submit