d9d47a7947b06ed69ecc40235776e24556fea754d2fc6a3c1b95e2078f6127bd

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
Size

4.1MB
MD5

2e578b229de5679bd6de477b61648d20
SHA1

17a0e6e8f39bd47186b503bf8fee56c810081f2d
SHA256

d9d47a7947b06ed69ecc40235776e24556fea754d2fc6a3c1b95e2078f6127bd
SHA512

dbf1805a4fa4a695e2cf4f74c6a1575ae38111a21ba1973783e38c6985999dc69e5691bc26a7e46b5fed66cb02297df0a650743e0144c429bf2c91d6c11cf381
SSDEEP

98304:+R0pI/IQlUoMPdmpSpH4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmY5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2432	abodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTX\\abodsys.exe"	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFE\\bodasys.exe"	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
2432	abodsys.exe
2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2432	2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 2432	2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 2432	2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 2432	2364	2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e578b229de5679bd6de477b61648d20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\UserDotTX\abodsys.exe
  C:\UserDotTX\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZFE\bodasys.exe

Filesize
4.1MB

MD5
190e0c7b8def5f63112856ebdee22b1b

SHA1
19e5b06299817b1874c0e45311c56469eb1c069b

SHA256
8b25c447b0d64b2adc93976f57637aa8ba66dc4b6a4973fcd105098e812b45ec

SHA512
fa6867da4cdf44d738394c1c21bc6b8d9465a1132c2105e83d202608b18cb58c13671ca9115748af8e7e0a13fdba3c9cd042c50480511f9cd801565c572371e3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
e0d9ba0204374a781c0a0d94371cd837

SHA1
08a66ab9dc73722eb566bd7fcacbe849a060e095

SHA256
f10d34da722f4bfc3c81f77fe4e2ac10193131f77156a371640d2dcb3b7a8110

SHA512
518e5aad2f10817bf4ae55aebbec30f29a3c153f1e805e3bb8788a874a012d315f749047b16bc06f9205c423d0da549802e6e1e0993323bc4c03a9e2fd0bcd02

Download Submit
\UserDotTX\abodsys.exe

Filesize
4.1MB

MD5
425d30ab70849c9f4b6a322251e58250

SHA1
cc7f7f888fc45970d929012f7234413b26be7ba3

SHA256
69794a992024e6f1a1c02f6f57d40ef7449cd69faac94a31a52acd55b96e7fa3

SHA512
df843b1736c73e7bbaf2e42dd5d6b6b010dc3fab625a96358dc1712a102bd4f002c4917ee14a20a41eb49209577be767a2d1ddce563c55cd39b7af1bee1586b2

Download Submit