33b724c692d11939e39c9c13952d913240c8f3c81b1c3d3497b6657c039d345f

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
Size

2.7MB
MD5

89ce8865b6a1983a8e2a08243326ddc0
SHA1

9c8776de72f9df5dd38f73ffc4d3e709cc78fc6b
SHA256

33b724c692d11939e39c9c13952d913240c8f3c81b1c3d3497b6657c039d345f
SHA512

6087593a69b5d5370707b4514598b3885c8e26e2118e08b7b0f08998cc80a63c0c61cbbf1394ed08adf852d779d766eaedb72cdb0279bd2db203a2b367790152
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBM9w4Sx:+R0pI/IQlUoMPdmpSpO4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4420	abodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2L\\optixloc.exe"	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGL\\abodsys.exe"	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
4420	abodsys.exe
4420	abodsys.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 4420	944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe	87
PID 944 wrote to memory of 4420	944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe	87
PID 944 wrote to memory of 4420	944	89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89ce8865b6a1983a8e2a08243326ddc0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944
- C:\SysDrvGL\abodsys.exe
  C:\SysDrvGL\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ2L\optixloc.exe

Filesize
21KB

MD5
690b914ab9e9e035c1e8ada04eaa1ca1

SHA1
5771e0a211bbc1c755a328d3a4198b67d73cff78

SHA256
6d8b327434643eaad1427c5c29176b11621f694d8bec558f44149cdfe0fa21c1

SHA512
4347afa36c1de7ddd47bbb32ee44d5edb013f670a9cd3d2e07e7b3c1c85e7b33e9b39a150f9160053c02fb8c3893aa8c4e06e3471ec3e62fe508c1c80421a22a

Download Submit
C:\SysDrvGL\abodsys.exe

Filesize
2.7MB

MD5
08283ea68c5fcaae36c1b8ef58ff7047

SHA1
0bb1909862a90b7a066ce08d8282d1185168612a

SHA256
ccf5410f8f336a2ed75f4253f1db5eba9d8ef05d812bfe37b0db57736c5cc50f

SHA512
0050c03c043fd054b4dc9e8b539517ad6ddb8d8dea9c12bb05d25d872671540e8d11436f1ac6ceea012581e7ef9e44e081ccdcaabd253b2c66b3c66cec28b298

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
c1ee04774f23d7b8d0a606b9e51a75e1

SHA1
daebe42ac17b5c2af08343d523e795297958d356

SHA256
e7a526fa2757936e41d11ab30940479599a957476fbcf575c74df436f99670f2

SHA512
0b9b8c8f42e2426d08404130701d9de0cfd8132a635cf635f788c531e7c9ab651f4a091e803f1d169605f237ab718f426c227037df7e4306a3ec40f65e06ed16

Download Submit