a22dc50cbf380b75568b6b34e5856bdb33dcb0098901fa756df121f5a509754d

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 00:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
Size

2.7MB
MD5

1c067ebbf223245b51f48da21cb85290
SHA1

952ae1dc7f7fb985b3e68f8ae7a44e9cc3d7fe80
SHA256

a22dc50cbf380b75568b6b34e5856bdb33dcb0098901fa756df121f5a509754d
SHA512

e43277869b9876b80ede3d0b81b1a0ff289c492d16cc102364415cce44f85dd7bcef9ed0b851be55d658f405f999bf4594c2104057eefaae42caf08f32e3b2e5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBm9w4Sx:+R0pI/IQlUoMPdmpSpQ4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3344	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC1\\optiaec.exe"	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeFQ\\devdobloc.exe"	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3344	devdobloc.exe
3344	devdobloc.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 3344	3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe	90
PID 3336 wrote to memory of 3344	3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe	90
PID 3336 wrote to memory of 3344	3336	1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1c067ebbf223245b51f48da21cb85290_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336
- C:\AdobeFQ\devdobloc.exe
  C:\AdobeFQ\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeFQ\devdobloc.exe

Filesize
2.7MB

MD5
7b88e312aa46cda778830f04ea694efb

SHA1
d2c70d695ed1389efc0f64e914e58e54b64e001e

SHA256
dc94298168ef2a679962e09eadc2b335f86f58822e53c6f628b473a20a651dab

SHA512
b5f2825254c38578389535745332b571021b91ce6e5bf441c00aef9113771e5facad98d34deaab2a821f87ea926538c7aa2a20b0f9b1ba9e6fd841b9f8ee8eb2

Download Submit
C:\KaVBC1\optiaec.exe

Filesize
183KB

MD5
bfe578f6f1c64e5654ab8b63e4e9b5d9

SHA1
da30994d7c78e7e2f42e25a565dfe5c722baad8c

SHA256
42433073100ba501c594de604d7012297d95556ae585959e5e4567d266973e32

SHA512
65eee18ca0ce6bafc89b029c94e0df467e262b8ba7439b3e28eb1ea30f13d8da88b46fa26fcec3077cd216bfbdc88de7ed79bdb7f1986f510361522a6265e8e7

Download Submit
C:\KaVBC1\optiaec.exe

Filesize
2.7MB

MD5
c627431a20d42b2d5d60fe5a636035ed

SHA1
7be95f1b1f8bbd20d612471dde112bbdcb23d3b1

SHA256
358c7c280f4dde63710dd6ad5d070a8509df09d846865952f2e046a0ed82803f

SHA512
5fe5836dce5302ed7ed99aeef4330dce25cc6eff4487ef1d7cd7a9c30a61228aa87cb92924f9a9e85ed46391355375af94d62e550f93906b67f0d341ddb706d1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
b8973d6c300c63fb4b29d8da15ba86f5

SHA1
7a3826958ec3199eff9deadc53d9fa91aaaf0d57

SHA256
df7d472dea59e3b39071050ab2710676b99e6e6d54149e646823bdbd16ef170f

SHA512
49053d15ec71877f4900bef9cfce0c2ed5bc77210ebc0b84ad8e22f4c7464429a78cbd627d45d232f74d389118fd796adcbe5cd18ecd3a45118d841dfb75ca5c

Download Submit