58d8cbe5afd2383384458fe78138091dd24fd8207441a2ad7c08ddde9d06f1bd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
Size

4.1MB
MD5

4c4ee091c3fbfab85d1a136d93db9550
SHA1

4b9f427220a352a9066e4354a8e7aabc31a4b480
SHA256

58d8cbe5afd2383384458fe78138091dd24fd8207441a2ad7c08ddde9d06f1bd
SHA512

f573e2152c3d1d2e11817ac8bbd42a37b7da86f442b41d7f4e3e110a84c394c6f9a9f2dd50794aeb61d79b15a7b56b463c64dea99b77b04ed90dc89089466a88
SSDEEP

98304:+R0pI/IQlUoMPdmpSp94ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdme5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4476	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot35\\adobloc.exe"	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEA\\bodaec.exe"	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
4476	adobloc.exe
4476	adobloc.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 4476	2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe	84
PID 2408 wrote to memory of 4476	2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe	84
PID 2408 wrote to memory of 4476	2408	4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c4ee091c3fbfab85d1a136d93db9550_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408
- C:\UserDot35\adobloc.exe
  C:\UserDot35\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBEA\bodaec.exe

Filesize
4.1MB

MD5
ce2c9e743aee994a4c5e3eb016ea8968

SHA1
69520cdc9608d0f9358944bde782ae05adf964c6

SHA256
ef2467b6e2e272f7a14fb6b6d9a3c8be38b52398f535a6eea9fb542a2ad5dbf3

SHA512
a447ebf24fbbba3f0830727ffd729c8e687363f71b4a77a6a445b24836ea3b62d6273ae6df7176cbfafd3653bad43ece44b6bb7720ebe70853fa8c9a4fdea688

Download Submit
C:\UserDot35\adobloc.exe

Filesize
4.1MB

MD5
2b7da658607200fce04cf4ffd3548ef7

SHA1
56558b6dcc24c90c9478f65879b05c708f743230

SHA256
2c71aa559bbd6cb457cea0ca1eb4d12f506d9b35ed64876cbd443857485685e2

SHA512
0e8a248711905f880386cad5717ab1cdb4be59163bb61bd40751a5f68cb90fba23e7babf8bebfc02c763a0cde20e9a5897173c387da337dd4696da77133c052a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
190a3201de167b2d46dfa58848bd345d

SHA1
1158ac61f90c444cd61f51fd0f972b3d6266eb78

SHA256
2b2cd70b3ebb014820e21ce53f78eb63029bae4bde6878d837c36823c5af18b0

SHA512
bad7e7db84ba6f8332b56c219232ce1ab8cf850dceb588aa1adbe70138fff2bdea8e8ede6ac3fa177b9605c50a94b37dc67aa9b89bdf83baed9e0957da3f2e0a

Download Submit