e063641ca5d1967409962e6a9a83778b503dd5931f1cdf9db98ac68a24888e86

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
Size

2.7MB
MD5

8074e6311a311832d6a51537d117acf0
SHA1

c2005c87934b536fec046351f0195b982fc3d417
SHA256

e063641ca5d1967409962e6a9a83778b503dd5931f1cdf9db98ac68a24888e86
SHA512

2158b6e9d013363aceaf12d310db45db8ea2f96c3cb953f477803a6290fa9134e0fec85b0f0fac9f9f74a9a6772046b32d31f8b6d7ad543a6bedfc7feb114b42
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBB9w4Sx:+R0pI/IQlUoMPdmpSpR4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2404	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHM\\adobloc.exe"	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXE\\optiasys.exe"	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin&::+>+&9+7381&3-<9=90>&!38.9A=&>+<>�\8?&<91<+7=&>+<>?:&locxdob.exe	adobloc.exe
File created	C:\Users\Admin&::+>+&9+7381&3-<9=90>&!38.9A=&>+<>�\8?&<91<+7=&>+<>?:&locxdob.exe	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
2404	adobloc.exe
2404	adobloc.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 2404	4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe	94
PID 4900 wrote to memory of 2404	4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe	94
PID 4900 wrote to memory of 2404	4900	8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8074e6311a311832d6a51537d117acf0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900
- C:\AdobeHM\adobloc.exe
  C:\AdobeHM\adobloc.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
1⤵
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeHM\adobloc.exe

Filesize
2.7MB

MD5
fa6640ec13ff2dbf85e4e829b749dcc9

SHA1
305e8112c1e756198100923098836c8765ab4acb

SHA256
f0c249c2d130010c5cd9504d4d36968577b4f0675c97dbc1c06f03c8e76ae345

SHA512
185dd817981734a95335a330578b353e8084463aca2561e1043d863e5c226cb74748867a0d5de0d7cd700b1596899c14c9a2cf2d4073452125c1fe5ceae55266

Download Submit
C:\GalaxXE\optiasys.exe

Filesize
14KB

MD5
3ed08d693b317babf4a1816702acfdd0

SHA1
d80195aa289cbaee52acfecc4c9eab29ed3dea31

SHA256
d0ea3eb204fb4518d62ad6821690e91864d8535063915b32b4f876dfab3f033d

SHA512
6b81b52697973732bcefc930bb4e604d120c91e6a0f92526d1f1eb909f36eb6a6023b5ce53e71cebc787fc25242075bde5b6a1820662484647b1a87ec1572e99

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
e7ddede0953dd92504fad8a6e66ffe54

SHA1
6fcaf509774891fb5380af411641b5e4f03180e9

SHA256
bdec736b42627a7c1f1bde02a4b64445ef955c598b96635f2488ab93c067ae14

SHA512
ba203b456bd6e52abc6a9f68c65d612084ea777213afb65d650feff60c6f851ee0c2588684d065fed48727945fb813e51185b884b8b445425e38e8f06e282758

Download Submit