3385a56253d5a09fcd839a2b1321066093929e6bcdec4cd25b61620f82d2bb8c

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
Size

3.1MB
MD5

b2158b4805abfcd758056de46855c580
SHA1

174949a4bca1c85b4f7ee19cc3c7dab618c92de9
SHA256

3385a56253d5a09fcd839a2b1321066093929e6bcdec4cd25b61620f82d2bb8c
SHA512

f3bddbe717b822b9a66933cfdb214beedb03d792573f58d80eac6e6f20e79e4abac58114fa95a8349b286586dd2717916ac1e9ce59c50ffed78daee1a306cc7a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBr9w4Su+LNfej:+R0pI/IQlUoMPdmpSpr4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
408	abodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1F\\abodec.exe"	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZG8\\bodxec.exe"	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
408	abodec.exe
408	abodec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 408	864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe	92
PID 864 wrote to memory of 408	864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe	92
PID 864 wrote to memory of 408	864	b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2158b4805abfcd758056de46855c580_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864
- C:\Files1F\abodec.exe
  C:\Files1F\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files1F\abodec.exe

Filesize
3.1MB

MD5
7a31f94d9f21c3074938386afe6f5cb6

SHA1
e631a1dea6713c96e9e70bb1163e3d544a0ec10a

SHA256
3745ebc18c99f21327a6343167ef163adf0e13cf17ce1b542662ff7aec81c4da

SHA512
7bbe8d91e47cca9b2589210fb98f9e908f525babee766d7ed221806af8f73890269dc5dc21d2f89401ea952045668d585213ad88711ae8334e7b76d37e643047

Download Submit
C:\LabZG8\bodxec.exe

Filesize
3.1MB

MD5
6c87225de686795910c21a85017425dc

SHA1
babcc1ccdce0fbf03cca3f5331efbe53bac95b92

SHA256
2593ca324b310847ef60d179379778c6eb9e0330f4f9f27ed7edc93ad1aef502

SHA512
27fa6e5fc4a49381fe142fc10e1b5b6fc384ad5f965dcb3f17a4530da8ba89092990e4269572c56cd18b1f846c58b3d74b31099cdecc15aa4f0a17000a3f8f76

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
197B

MD5
f9ff58404d5107bea1f9414f6eddb749

SHA1
1a17f027543880147e3b8d6bb8e83e5cd7b5aa21

SHA256
edc5c3248f8b38cb325d861623e4350c8dbf02bad1d596b6e48659e13b304805

SHA512
ef145f637bef28550472b734e98a3c24e9ed17107ab9246da078175188710d3e364a9d5f1af661b4cc1f5d8ad6bacae4297fb06a3655f229700d56af5cf6cc5a

Download Submit