79084bdcf31a83ae63a52caf1607ce4585a5a7bb09d20f8b33232449f0e33788

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
Size

4.1MB
MD5

a1a9484b82ac29ff2eedfdcb6fb46d20
SHA1

c244833b0e13900ee0d5d061d04b1aa79ce2f8bd
SHA256

79084bdcf31a83ae63a52caf1607ce4585a5a7bb09d20f8b33232449f0e33788
SHA512

f250efd62568f051e2f29daffe37bae7d2c0c7fe7d2d2908bb664b8319d8f14befe1f6437cef51c49c2c8182c14ee4cfc71f9015616f304bd5027290c1757dc8
SSDEEP

98304:+R0pI/IQlUoMPdmpSpB4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm65n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3976	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7S\\adobloc.exe"	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXA\\optidevsys.exe"	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
3976	adobloc.exe
3976	adobloc.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 3976	5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe	84
PID 5088 wrote to memory of 3976	5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe	84
PID 5088 wrote to memory of 3976	5088	a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1a9484b82ac29ff2eedfdcb6fb46d20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088
- C:\UserDot7S\adobloc.exe
  C:\UserDot7S\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintXA\optidevsys.exe

Filesize
4.1MB

MD5
c759eb2a174af49847e544afbc733649

SHA1
45f8080cc711f9a75833f2de64b36b7e9c9e0429

SHA256
bda40ec71f79e71ea4c464beae30fdafa994124d8f30ab35be385c599384b02a

SHA512
3811c31ff2832d74373f2b1278c4bab29d19a75bca650e53a93ac88d978193f554dd9221e880b8f52b780c8e7a23dc274db08650bf0e76d185c0e7b47041c323

Download Submit
C:\UserDot7S\adobloc.exe

Filesize
4.1MB

MD5
0adb1ab9185f118ddf435c9a3f051b92

SHA1
0a4118e146eb03502e504c53463b5b501800b493

SHA256
fe234d6849a5a1290d6f71ada9e3587fe5bec228bcc4d3bb5ea3b5be1cb0e2cc

SHA512
4f660aab8d3532adde9e39d591f85190062a9b06dd6ab1e1fce1705cf19fb395fd02ccee61b5857275b407e49ece28e326ba697d0ae69a961114276ced0ee9ed

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
e513f7f1ebcea8025cca128b24871c86

SHA1
2e7ea542b9e9b9b3536da0ff43ea92b84f36e8d2

SHA256
7d0908d0011dfce27b505fb8136e98045f90faefd9ca6aa0a0b9ac9054bbb9bf

SHA512
9504830454d42123480d5836bc8d9a2f3a768c6b459a8bf17b02444385134fe9a8433a67a66a1cd034acac976ae3651e3f23334fc211b40f05b62388be594383

Download Submit