d7e982702b213cc9b903da0262c3103a4de3a97513b9e522f711ff1ac594d741

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
Size

2.7MB
MD5

76f247d1a2639b38fdf17b95c8fe2cb0
SHA1

8aa61dd1f1bccdf3ae95d7f953050700c7bbccab
SHA256

d7e982702b213cc9b903da0262c3103a4de3a97513b9e522f711ff1ac594d741
SHA512

6ebff3c85bb992309df26c5c47cebac25eff9b11ef438a09c499d7d05c4a90253d9e42c43c3a9020632cfacc76f3a3df19a8fc5037456f7d155f8e9a6848d53f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBy9w4Sx:+R0pI/IQlUoMPdmpSpQ4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1888	adobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHK\\adobsys.exe"	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax44\\optidevec.exe"	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
1888	adobsys.exe
1888	adobsys.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 1888	3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe	87
PID 3624 wrote to memory of 1888	3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe	87
PID 3624 wrote to memory of 1888	3624	76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76f247d1a2639b38fdf17b95c8fe2cb0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624
- C:\UserDotHK\adobsys.exe
  C:\UserDotHK\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax44\optidevec.exe

Filesize
1.1MB

MD5
41d1a89b86c5bb31c55d06e69185ef4a

SHA1
4062fa2f2dd07621c47253ac8f58bd1bbeaaa4f0

SHA256
f6074c399fa1fd3934291b7987f9cdc9378b6a424fe4c7a642b8454d8cb3bdfb

SHA512
93fad607d13114d241efb3c240087e21e9bbcfb7a92cb7a7b55060e9cd30bea58c00cec1e03e1d462761f30bd1dfd34be6595f485ea780036b9785d97245e0be

Download Submit
C:\Galax44\optidevec.exe

Filesize
2.7MB

MD5
f1cd2bece4f9a4e6f2f6962ceb30f333

SHA1
e6e0977a6e200b2cb5512a82ee25166a9b5b0fbe

SHA256
b32998833f913028bd18dcf4a89b93a2d305747259bf5136db0c274c0ea6ac7e

SHA512
a861d33f44fa3c92957af11ff86d4d072472db7ecd48aab14685da22a20a210e5fd3787be78908a2e43af99a38300c350d1e0ecdbe07f8d5a7899aac9675c177

Download Submit
C:\UserDotHK\adobsys.exe

Filesize
2.7MB

MD5
7711fe32a614b1180a108c8b5696f4ee

SHA1
7d2b09a662e8cacdfc7066aa24528a41ca0fd32b

SHA256
ad670ff5dbd73b8a7d503eb7aae7cd4065785a0e5e6067b128f2cc2b2178ddfc

SHA512
a642f7531478b0ff1bb8e25b7885fea97a0ff53b1cb1fd5a9d142909bdeea3c23adc4115bb1e87d85ca403641dc26f0f1272533536775628e52803b51ff378d0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
f900c1f1950687a8c83ab3162893a135

SHA1
9b3f286f19d1cb6269e19c8667f1f48c4a320a5e

SHA256
816ab76af03f7abf0c25d8666aeeeef98fa07dc9a3e3765a8ce721cbd5ac6071

SHA512
b6388d4ee2650847f124a5521ebded86511faf6a38de160f3be68345449964d0882f50f901805479f862d1394ca5bb7662f298317a7347a297b188b8af6afab6

Download Submit