4c5de61ac009e8aeb78288d588b193c11739b83aff2742719f30558e1e7491a5

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
Size

2.7MB
MD5

a3c9d5506fe9ffe0c67ae3fe452a4280
SHA1

d23341193f9cbfa0bc1c857440d060680f789128
SHA256

4c5de61ac009e8aeb78288d588b193c11739b83aff2742719f30558e1e7491a5
SHA512

f26415b4c6e3c47bbf6f302bc2be9fd1b8c36cb85bd822bfa238d7394583264d10897ecbe0d6c908b22737f5746bd7462d9b7cf6a234a3b70fb3e2ccb86b5f6b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4Sx:+R0pI/IQlUoMPdmpSpy4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1580	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLW\\adobloc.exe"	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidGL\\boddevsys.exe"	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
1580	adobloc.exe
1580	adobloc.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 1580	8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe	81
PID 8 wrote to memory of 1580	8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe	81
PID 8 wrote to memory of 1580	8	a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe	81

C:\Users\Admin\AppData\Local\Temp\a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a3c9d5506fe9ffe0c67ae3fe452a4280_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8
- C:\IntelprocLW\adobloc.exe
  C:\IntelprocLW\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocLW\adobloc.exe

Filesize
2.7MB

MD5
eebac22f8b5813aa8ec63d0f620d4e63

SHA1
c1d0dbcc09736909eebea7fee75994f16c4e9d0d

SHA256
28c0601bf7615810abeb159e5f2050afcd71d7657bee59a9af6f9186c421beba

SHA512
5588c30cdc4351606c4943dd623415f14fedb6fb327301ef5c9ea763f8983d39e2e758b271876ac53110ac11b2b7a6eb43c1a47d53b8ef201170d5ec161803b5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
4e1b87ed778b3264b52bd72c84c3bd97

SHA1
7388a3c2c74e85246da9f3a884b6c9d100678166

SHA256
a778f726b7b6637df53763b40448cc58cc275c90f6e81c3e507855cb1f600613

SHA512
95f4af886e979b7cddde9077a92e2a2a6d8c35297c410ea3dacc36a6bfcdcc20bae3b61a7ae310b430730d3b0d2fd4bd5ace4f11d494e6f8c957f1724b64a66c

Download Submit
C:\VidGL\boddevsys.exe

Filesize
2.7MB

MD5
f3e76cbfdb9c1899c2115c869897ffdb

SHA1
a1903ba666a7945f672e2f3aeeb25bc7e89e82a8

SHA256
018b0ede3e9c773b4bda748761423cdc1ea05f5984771981e6ccfa7e92df5f72

SHA512
042fa444f82fd94c21b03664fc245789a4eced4eff86738c6c08ffa150b2314245d216afae50acbe46a5ac15a151a30d0a07e1b59e90974f346d6d877b0ee779

Download Submit