2bb6cf1695905b045958583304026ee2e1173e86cc82271c204efb9c1436c30e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
Size

2.7MB
MD5

4172abfc9ca3cda77f3eff2f6d398310
SHA1

980d13bf8904a18bc31f83ce4865b98881fbd6fd
SHA256

2bb6cf1695905b045958583304026ee2e1173e86cc82271c204efb9c1436c30e
SHA512

a1247f987426f0b3181dc4478248b7be16960564bb6ac33f812eb990caf713eccb73387f748f162b71820e215ec406d84936e77a3201170bf552104e68ff3f8e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBd9w4Sx:+R0pI/IQlUoMPdmpSpR4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3224	abodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVX\\abodloc.exe"	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQ3\\optidevloc.exe"	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'locdevopti.exe	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
File created	C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'locdevopti.exe	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
3224	abodloc.exe
3224	abodloc.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3224	2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe	90
PID 2280 wrote to memory of 3224	2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe	90
PID 2280 wrote to memory of 3224	2280	4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4172abfc9ca3cda77f3eff2f6d398310_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\FilesVX\abodloc.exe
  C:\FilesVX\abodloc.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesVX\abodloc.exe

Filesize
2.7MB

MD5
6068e78a21ee1743b71b7314b3bd2305

SHA1
0a04df332fcfab0021b5ab7a1f0b218ffeb85897

SHA256
80fc33c93bfac651cd83ac885ab1bec4a9b1c8043b4a047f80652f1939d0da4a

SHA512
be13c891449febba7e5459ce1e3e012148c180b77352e3fc54e1d99f2cf3fa28d133d377fc5bfc49f9f441e7b31616c5d135e05c1846f34a40484ae7149541d3

Download Submit
C:\MintQ3\optidevloc.exe

Filesize
2.7MB

MD5
8e72ed395483b5b4fc17644346558f37

SHA1
f7d441c3ca882e55c451fdf06bb8b37e66b61ecc

SHA256
a2658781dfe8fe5e08328bcf29f5f0f66407180dcbfb38927c6254e40cc091ac

SHA512
b142afa3dc69abfed861458149e3f4569b55c11c1a8a5fae2f92d02e2967910c78b767db484c73ce872582b84264396764a4b3f895ac18a3bd0aeca9217a4314

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
e095f355b60e6ef92a1a4d0b68815d96

SHA1
b12bdf93f3a4cf1911a131457240bdbe6c5c7c9a

SHA256
d4a3a7f5aa444baa7c1892873bff5d0270ca82f065b1606c7f00807535ab203d

SHA512
0b4af3ccb0e525a36f39e0ee518f1a557c0c81941e3364d7952d4cdbccba8ded01c3edf82ea8dff9c0a0af135fe05524ac8d28ac118b9628be23de35b64191b7

Download Submit