0ea05f9c0887db9f73b7e7fe28072f533b039d8cd0895fd9448164ba99e09e8b

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
Size

2.7MB
MD5

135edd8b3b1e903b27ffc64ebf2d4130
SHA1

1f3bc79d91b71b670e11d59a22fa96cb4e327ac4
SHA256

0ea05f9c0887db9f73b7e7fe28072f533b039d8cd0895fd9448164ba99e09e8b
SHA512

653c88bd92ebebb0b7f71d7b888f970029f5ab0b8d91fece819a43d6407a5d35b89c03c68cb07545fb3e66f3333ee6559918275d2d6284168f57eba6cdf02af9
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBB9w4Sx:+R0pI/IQlUoMPdmpSpJ4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2888	abodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc67\\abodsys.exe"	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDN\\optialoc.exe"	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2888	abodsys.exe
2888	abodsys.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2888	2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe	90
PID 2960 wrote to memory of 2888	2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe	90
PID 2960 wrote to memory of 2888	2960	135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\135edd8b3b1e903b27ffc64ebf2d4130_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Intelproc67\abodsys.exe
  C:\Intelproc67\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc67\abodsys.exe

Filesize
2.7MB

MD5
7723bf7fb44e563650a569ad9f4a4b9f

SHA1
60a741447e5c39229d98807f3782a8bc1c009bb1

SHA256
01cd931eba7f022b310a8d62430af3574f8b733a9e7f3ea54f6f7341efe83871

SHA512
eac0d5e5e3655a564b7b8da2cc76cb5e6eda61b4d37f3980805d1e54be10722f05db8e3e9d3cc91fb2fada6ab6f7611d383c927d0e1193ed001fd24ab31c760a

Download Submit
C:\LabZDN\optialoc.exe

Filesize
2.7MB

MD5
6b25523afbde8bd4d0d55b73c253f40e

SHA1
f8c9451c723aed0cb67a1abee0d44bdabec02d6b

SHA256
4e66c75dbbf412a3854203740ab2f7a0e3b64c3f75c7a635862947187d9a579b

SHA512
6272cef23a7fedc58f84710ce7cad3e8b43189a90ca54afeda7e88ebfedcbfb2ebba7943ccf0b2ffe0339c09dde82b74963848b1b16cb1823f8c3572824c80fc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
9b709088802b3a4f0097789c8bee2514

SHA1
b52b1cfaeaf7e000fef140392f391c696ab7dda2

SHA256
30d12a7b55e1d3a773eccc1c4f6e794768a47ac0a928c0f0abd103d422747ff7

SHA512
5586cf6ac118dcd34ed7d13b35d5e869aceba97ba67e64d1a6bea06043e053f678a0094aecbce9a07c4e139da86e19ffb907ac0b6513784cccbd5c47df5ac000

Download Submit