cb3d868eca8cab0fec9a8c2986604d416c4c5ff540ee17fd755bbb53ae2a0e39

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 23:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
Size

4.1MB
MD5

1f226af41f0e4b710498b73013d81cc0
SHA1

ebbaa44a38f788b0f593dcd4172bc009280a10f8
SHA256

cb3d868eca8cab0fec9a8c2986604d416c4c5ff540ee17fd755bbb53ae2a0e39
SHA512

44703208e928d0e3e8117b864d3847180394e637d483c6d5c30e44400f2c4d584212fd29d6c319df10cb870001f8ae3869f3bc3b2ec5134f9548a50ae567c5ec
SSDEEP

98304:+R0pI/IQlUoMPdmpSpN4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm65n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8C\\adobloc.exe"	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBM\\optidevsys.exe"	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
2160	adobloc.exe
2160	adobloc.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2160	1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe	80
PID 1500 wrote to memory of 2160	1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe	80
PID 1500 wrote to memory of 2160	1500	1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe	80

C:\Users\Admin\AppData\Local\Temp\1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f226af41f0e4b710498b73013d81cc0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500
- C:\UserDot8C\adobloc.exe
  C:\UserDot8C\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxBM\optidevsys.exe

Filesize
207KB

MD5
29accbf3839fe4169083f3d46f2c3388

SHA1
d639d6afcf4fa45618ba15feb481e33eea8cae00

SHA256
0b46e2a702d630070e7bf60725ba13e386a156078af8359d01187c9862299e1b

SHA512
8caafd37d4b53febaca96ffe23d55c75ae6daee2c5a0a68062c3d0ef7de345d4f2ccf0c23508d58d901c9c790c9596460357eb55dc7e7e12755f30eeeb89cb70

Download Submit
C:\GalaxBM\optidevsys.exe

Filesize
4.1MB

MD5
e5a02fd4fb247fc9ee52ec32ee81b1d5

SHA1
990a2d2f4962cf50d2e04b2e8602f318c0efde1a

SHA256
81e6287ee548756dad81f126be531778ec1947dfe8f41d014d8f058413f5525b

SHA512
7a9e933886e1b9790fb53e3d3635658c57e5f18b6e1002af23bac4ebbe43338ee9f0964a4d2d35c1f21cf13ba867116dfce284d23730c76ec31d037cfdb91363

Download Submit
C:\UserDot8C\adobloc.exe

Filesize
4.1MB

MD5
eacce7b915f823c001708e97e84653cc

SHA1
3fcd79bd6961aab16c6f6552fbcf9acd654d6d4d

SHA256
204eff441fd91b977a49ce87724b5e5ceccee89456fd500518d5b2faff6f7848

SHA512
a8d6d1a5c0552ad42e38bf21e3e162d81bbc2bbd5a933efc00bd208ae9b7935489ac41a7e57e2aa0ede3fe69783d32ca081ba4d7e5a3078031281e47c30cbe4e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
933373f64ef8aa545fcd0c06318f9448

SHA1
63756f0d1771e09a7e1ea562bbc98d5242f573e7

SHA256
949b85f4446ec7a4912e5c06df678cadf7cff0e7f8975555546a7b1dc4545d15

SHA512
8e01035d2c13ee8646ea00ca96c0b5e422d58c4916f6e727bfe6b42d3acd6e78de89a2bf7101906343626419a1c5ecbac6d3829d27c250a146cd59a75ff63e7d

Download Submit