429fb199a24ea7d5485aa0763f6a9e8d97cd373640bf273f52cd41db62912643

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
Size

2.7MB
MD5

07977a4c6cac0605de1e5a597d8c3d70
SHA1

a5f1f910d92d20be4f1c24b0814638d6ab5c57f1
SHA256

429fb199a24ea7d5485aa0763f6a9e8d97cd373640bf273f52cd41db62912643
SHA512

476845c9d4e6426ce2411d4833f083828eba1b7026ee904a9cd32f20397b856bae423fdca04c328bada31af4555c2b10e251a540aa1bc929707c521f8390f9d6
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBW9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3876	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNP\\adobec.exe"	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9H\\boddevec.exe"	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin"66 ':'"5'3\4-"\)8595,:"\4*5=9":'8:�+4;"85-8'39":'8:;6"locdevdob.exe	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
3876	adobec.exe
3876	adobec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 3876	3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe	92
PID 3152 wrote to memory of 3876	3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe	92
PID 3152 wrote to memory of 3876	3152	07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\07977a4c6cac0605de1e5a597d8c3d70_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152
- C:\SysDrvNP\adobec.exe
  C:\SysDrvNP\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvNP\adobec.exe

Filesize
2.7MB

MD5
74bd287201f31ec4b1b08688f62d607b

SHA1
0acf1b4b6a9f7526f1a39fd277e91c3001f8b0cb

SHA256
6bf48f618707fa610c3100007f472481a4cc9fcb9af36265410d76712dc18fda

SHA512
8aff8fb0c9fd613e4f9ed04cb23394d5c72372e75f0e8f5fdfe8d79f5c16253d3f28219f42081f4e90ebf045f7f9f49d6f7fa3be4e905f4b3b678930ad421010

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
94cf79a14dadf3ce5d4c076141b1eeab

SHA1
3864cbd8540b4a1f2e5e03778d4e4e50201c3186

SHA256
1486d5f2fe70cf58ca50888404a735c9a95142a113677b1eceb9c4580f5eaf7c

SHA512
5a770d1981e2d3e0db6e307720b56fdb64ffd52edbd80d25a5a6344eba8c76ca3d315f6eb1478eee77c58e170c4ce7ca3434bbea03cfb670b55434d5e004db22

Download Submit
C:\Vid9H\boddevec.exe

Filesize
2.7MB

MD5
200037a5eb22da85717fd05e319e730f

SHA1
b98559826d9d29d4bceb0f6a68896bddbd9e9d5d

SHA256
0b79eb119475e604a99c203595da0842ba687b582bc041f20ea77557c66db4cc

SHA512
d1a4b7432e04558d4abca78f6b3fcb3cfccad1fb3119cd0eeb4781c64ce950ff3a9ba790fe40f3db10123754872ce7f290680c0974e5f99a92fcaddbc4b3d43d

Download Submit