3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
Size

4.1MB
MD5

44e5aa239da8186a0bc6346a02553750
SHA1

385e5fdaa79604d11ca51d5b8c1907fcf0cbcd77
SHA256

3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda
SHA512

e6880a3788d3afeff5929a56960c68353c604bbb53dd311cfb0ee3c3a7387aaa267006bfa6f62182c80a0261cdeab4997a28231ed9f642a36a2ea7e719ebc7c1
SSDEEP

98304:+R0pI/IQlUoMPdmpSpp4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmK5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3892	abodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKA\\abodloc.exe"	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0H\\optiaec.exe"	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
3892	abodloc.exe
3892	abodloc.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 3892	1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe	88
PID 1436 wrote to memory of 3892	1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe	88
PID 1436 wrote to memory of 3892	1436	3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3703425772d5a91af4e1ee26a13cb60d783bcb29ce9201ec708e7a3188e23dda_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436
- C:\FilesKA\abodloc.exe
  C:\FilesKA\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKA\abodloc.exe

Filesize
4.1MB

MD5
ceb198ede22ab9c6b842ea58fa0a06bd

SHA1
ea91805f97cd79ee815faecc1d8cd020fc795c8e

SHA256
40e7e307d8289ed56f9bb3d14ea6a8d6261107e31e04ad39573d4be68a0f75e5

SHA512
a3f7da75efb93289a422d191336d1df051756144cca515019753123ea96f81a9f494d1e3121284f5d164e2e3c08a06a62658fc3e9540bbb26812a0a9af5619d2

Download Submit
C:\KaVB0H\optiaec.exe

Filesize
5KB

MD5
3c1447a32f4850436e6a2de47925bc14

SHA1
330b5e43ee4e330d7602e1d148b82ddb50b12a19

SHA256
293da501871baaf7bbb94f933d180eeda1ab4e177269dbf9009f7b0affb5cf94

SHA512
f9e04d4e15b7137a5a1aa19f435a3eac87106d592f2577822a23d928dcace63d581f7c5af90d73b77ffa94ef555dd29e8a1ec2de6d498148e5815c61b71b3b19

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
189B

MD5
5e02b9bde82778e195f1b633f22e4eb4

SHA1
51f41ba764381fc267e887750b592259abaef1bf

SHA256
1f425143464d0003ae6867eb2fc66d3e30d00478e9c85e3fed0e26199dc85ce6

SHA512
390887a39a20cbcaca09e1047567d4d45f23cd797489b95ce977d743815f6fd9154fca71c6674891a4d0847c2949421ba009b990db284e99b50b483e2e69a880

Download Submit