31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57

Analysis

max time kernel
144s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe
Size

351KB
MD5

5916df5e00d3efe65503acc4d17b11b0
SHA1

8012934a13944738dbdf59b35845c4ee6997dbc3
SHA256

31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57
SHA512

a06123e68c619b03e273c0068a6d340c1f2c5ca774a4dfd3078cb800f1fc42e1d086fbdc2c38cbd52a5d3e19a31287c9d86271e76ffd03b7480e2fb34cb49807
SSDEEP

6144:Cs0N0GfEoS6ko+7bRD0I6qgG6z6QnkNblLIFifV9y7T+1lJri8Ey:n0N0GfE0ko+xD0I6tGo659b9I+c8E

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob[jln[kn[nl[kn	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTC\\adobloc.exe"	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZR3\\dobasys.exe"	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe
1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe
1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe
1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe
3844	ecdevdob[jln[kn[nl[kn
3844	ecdevdob[jln[kn[nl[kn
4828	adobloc.exe
4828	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 3844	1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe	89
PID 1844 wrote to memory of 3844	1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe	89
PID 1844 wrote to memory of 3844	1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe	89
PID 1844 wrote to memory of 4828	1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe	90
PID 1844 wrote to memory of 4828	1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe	90
PID 1844 wrote to memory of 4828	1844	31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31284639c86ef5263cf34f710c3fec7d21e0e5e9a294b0a9d4842c97a81a9b57_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob[jln[kn[nl[kn
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob[jln[kn[nl[kn"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\AdobeTC\adobloc.exe
  C:\AdobeTC\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeTC\adobloc.exe

Filesize
351KB

MD5
433c6475f9842fff247d681b305b91f0

SHA1
1665b39ec1dddd41d579461fb4a9bb108c8bc48c

SHA256
5cf45f0e1dda208cb2376d5dc616893dbe6d838a3b317884fa9f88b6f810f455

SHA512
cff48e58ea9346370882a17bf409528a90fb9fa9365c7023da734d05b6ab2af3b810487c06346121288d87a78a431a97a634a61d5dd2868f538a7240e04fb97b

Download Submit
C:\LabZR3\dobasys.exe

Filesize
351KB

MD5
3a8c00ffc1877e132b8ef44491dddb17

SHA1
c74b45b0fc57c501e423e6564bd90beea26ec1ba

SHA256
1d1bc5cbd9c3170454ff677dec7b2898c4e79053ef342c29b96c788ebe1a4cee

SHA512
1136102895e7eeba1328b0711b7b9972b338ef936062c8551ba8d8f6fd7c450adb36860ab105e05b53fd7b6321565cfcb1f370302b23bb4b4b2365e3d446650e

Download Submit
C:\Users\Admin\253086396416_6.2_Admin.ini

Filesize
175B

MD5
83ff87524f3de82eae38792dccca81ce

SHA1
cd62d73a048cc812baec84071d927e62b4915561

SHA256
c2cbabf54be2a54c310a4be44eeb9f6f4ef3a38c4acb32db96248837d0ebf875

SHA512
eb623c7f7620b30a86b8a40cb93204e2d6cd2a62a7e464616ac213f682e7f7a844d4af93fb4dce61939630855acb35832d78d5afcfb508f2c2cf42fa6c6c70f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob[jln[kn[nl[kn

Filesize
351KB

MD5
a548edbbe577613de9dc1880ef324571

SHA1
abfe502e30e0f6b65579d965964e8506e407a04e

SHA256
6e2cdaa6fc576cb86c252b190123474ea4741d5bcf3b54da55fd182b27b8a4f7

SHA512
e5decd6bdca15af8914d75677b7353e269872eb07638863ed55209e446fe25c912f7dad009bc0d5932969d3c84de81a2f94e413ab5243ea6392181e4e4f70582

Download Submit