3385a56253d5a09fcd839a2b1321066093929e6bcdec4cd25b61620f82d2bb8c

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 08:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
Size

3.1MB
MD5

b2158b4805abfcd758056de46855c580
SHA1

174949a4bca1c85b4f7ee19cc3c7dab618c92de9
SHA256

3385a56253d5a09fcd839a2b1321066093929e6bcdec4cd25b61620f82d2bb8c
SHA512

f3bddbe717b822b9a66933cfdb214beedb03d792573f58d80eac6e6f20e79e4abac58114fa95a8349b286586dd2717916ac1e9ce59c50ffed78daee1a306cc7a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBr9w4Su+LNfej:+R0pI/IQlUoMPdmpSpr4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2408	adobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvAR\\adobsys.exe"	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBO6\\optidevloc.exe"	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
2408	adobsys.exe
836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2408	836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe	28
PID 836 wrote to memory of 2408	836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe	28
PID 836 wrote to memory of 2408	836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe	28
PID 836 wrote to memory of 2408	836	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836
- C:\SysDrvAR\adobsys.exe
  C:\SysDrvAR\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBO6\optidevloc.exe

Filesize
3.1MB

MD5
00b3a243d51547fd1be69b253d9693a7

SHA1
98b7c39bad38af1b4f4138c46a7291b894e4083c

SHA256
3a5cda1f033860fdf97089179d56b51cb70678dd1a7e16c2a4ccc563caaa206e

SHA512
06b1af4f7ad67d687d70144fe2f97a04a814fa60831dfd05db1413f3e5006da71b9dbb6abb30364374c1ae040dbcd59cf9d22baa14a4fb6b392890c404fb8bec

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
418a266b0e6b3705df5d2f4b71e73ef9

SHA1
b2d05949e776e861e489378e6393f25a592c7de3

SHA256
7ff9a231f8d5d9681e2cf42ef416d79161cab9bd051d7d995a57f21e3081ea0a

SHA512
bef7260def58bd70958a8017933501795a91618afee8ba4e9d39ec13d4356fd603961b6e056be3338db399011d9c8ac8282992c57c12152891b4585064000f73

Download Submit
\SysDrvAR\adobsys.exe

Filesize
3.1MB

MD5
8d53c482f049cfbef2ac65fe020e2289

SHA1
d88f8121e5ba3b77ad2a6eecf82f03f391559779

SHA256
038f946d6ee46e5b3feecea7fa28f073824b8fa6ade3731f8225352f87c20941

SHA512
d442c8fbb5e77c4e5955be179fc42eedd3d7782e20d663eb33c0f46ae42673ff6cf8353d8e2027b2838b155d4f12ea37a8138c21eed8892682ccdb1b6fe7c62a

Download Submit