4a9625451d54820551fc1aef8919994591ba6bcea0ba35eb69af8203c95658a5

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
Size

2.7MB
MD5

0820873b163e8de3563dff787e1b2dc0
SHA1

2fe935f48312944cfe95abcb6e16f84671f10297
SHA256

4a9625451d54820551fc1aef8919994591ba6bcea0ba35eb69af8203c95658a5
SHA512

8d2f81586b83cd205107963811dd330b9bcd1f768ac2425fec1ca41ee06ae8f9157586d11d4ffa198ea43cd29547ddd7369ce869273a283fc181a3cb305c98e3
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBe9w4Sx:+R0pI/IQlUoMPdmpSpU4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2144	abodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8V\\abodec.exe"	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintST\\dobasys.exe"	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
2144	abodec.exe
2144	abodec.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2144	1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe	84
PID 1488 wrote to memory of 2144	1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe	84
PID 1488 wrote to memory of 2144	1488	0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0820873b163e8de3563dff787e1b2dc0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488
- C:\UserDot8V\abodec.exe
  C:\UserDot8V\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintST\dobasys.exe

Filesize
2.7MB

MD5
fa0eb3c40cd45da220414c589a2aaca0

SHA1
377e49b473f297e69b679865dd571531dd572ff0

SHA256
34a2f0e61fb1f70ce50343bdf273ec1897b32f6563ad4f3440929379f2d11d45

SHA512
dc8c056cf530d4e3872efe2cd8a0fb0e7d4a1a0ad3cad1f7e7f0de4f9602ac590d13b85672ebdd0e8feb00ed06607b168c99e24f80d8577de8b7eb43edc6db3f

Download Submit
C:\UserDot8V\abodec.exe

Filesize
2.7MB

MD5
3bd9f6a87c61afda971c5d16ba895fa3

SHA1
370b638ecc9ed527bd680a3015052330a7c2a971

SHA256
69907e14224c95371a3aaba4e6992b41f51068ca87e793a9fe71ce4bdf1818b2

SHA512
89e8c2fee1bc495e7e9a10ea3b0b14485a86feb3f7894db869cfb5957a563c66e26f58c3ea1b28d95666dd8e99c3c29dee3d669de4ce2eaaed58dff9c5f536fd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
a3d0049eaee440e23eb449ea0192623b

SHA1
b8a021c011e6c5d214d82e8cd08d2fee02bea4cc

SHA256
485fb5436da5c413369241717d03952ee6083eec7bffc769f0afcdd3c072ad4c

SHA512
d0e51f1564df7cfe40dc6bd8bc8862a6b8d32465f2d9a0c9fe653e4ccaaf1940e48cd7100c317a0d2cdeed72bff80f0e6b75d91e0c016d3e8516cbb1605b9459

Download Submit