4452565de6e6b7945ad18b1b3410b44c348adad16b6df1027163967dd1533eef

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 23:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
Size

2.7MB
MD5

1773d601228a96ef49b6e6ecc4903540
SHA1

9c7b927c5025f9641d73fa745e6bd92594875102
SHA256

4452565de6e6b7945ad18b1b3410b44c348adad16b6df1027163967dd1533eef
SHA512

2947066efb6ec35bc0b2a74ab924a765fcf247bfe58f54dbf4c2ef153a27d5f5d5c0c1d2d69e53149ead1a269da28ba917ad730faae75d0ddc8457afc5dd0646
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpa4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4296	abodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQJ\\abodsys.exe"	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3R\\dobasys.exe"	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
4296	abodsys.exe
4296	abodsys.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4296	400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe	86
PID 400 wrote to memory of 4296	400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe	86
PID 400 wrote to memory of 4296	400	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400
- C:\AdobeQJ\abodsys.exe
  C:\AdobeQJ\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeQJ\abodsys.exe

Filesize
2.7MB

MD5
6c17c8690762cf82d3e01572099c6a6e

SHA1
bb71e27767db89ae3667f2e44c620679633b8d72

SHA256
ba80d1f6bad978c6d196a7f3163c7ee091abe3e7aa4dff12d2254a154846931d

SHA512
4c3efc7fd1b64f2c1c4340bf1248260f6c0072e3c4c7d1d47754588cb6db5f56253c2568746b42c5934470f929ad764157e00f2b1d6a5f8e3898b07660fe49b5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
68746bd626b8f51ece0e47a7f1635e4d

SHA1
4eca95b31ec10a69a7df030f8563abb917cf72e9

SHA256
c82ab1d6e7266b52d17afa9f43496d92163ca18f33271322d3fb86ccaa69a207

SHA512
dff26ae12ddc37247d415f660cc1559b0738a293cd96f8e6fc0129b4841e952fcb3b62b28efac588acea5cb0ceeb3c10cba72339e0fd01ac5a7309d7f8a6640e

Download Submit
C:\Vid3R\dobasys.exe

Filesize
2.7MB

MD5
bf17984085c3b2399bc7e75b12449074

SHA1
b392f310fd3fa7ddcde8cc51cd2d3e6071e2810d

SHA256
a3104f99b40a62af5111c34a639e830bbbd574a522bdafb1eb42ba91d6fd38d0

SHA512
53656fd73609c1d46065ad7e184688709211ba7ddd181acc866f6749d0223e73ee3624eca6a8ef2bf6300afb1b17fe0b309fef6c023a28bdf6e4f9d55abd99ae

Download Submit