256f1501101ba94fdfecdb0b72ae520047df4c8a4c2033f1e16d6b41659ba623

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
Size

2.7MB
MD5

6301b92a18e8a578329124af3a95d1a0
SHA1

baa848b9cf71008d9ebf733c1d092adc5b516e88
SHA256

256f1501101ba94fdfecdb0b72ae520047df4c8a4c2033f1e16d6b41659ba623
SHA512

fed0d475b9dbc3769ed0269dc455ab6579ccfaeaa83ae8291ca3f44d8354690345681b59be271dfdfdff55988e810f6242326bb7d0d4c36675162698459a3cf1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3256	aoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDT\\aoptiec.exe"	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOB\\boddevsys.exe"	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
3256	aoptiec.exe
3256	aoptiec.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 3256	4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe	89
PID 4780 wrote to memory of 3256	4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe	89
PID 4780 wrote to memory of 3256	4780	6301b92a18e8a578329124af3a95d1a0_NEIKI.exe	89

C:\Users\Admin\AppData\Local\Temp\6301b92a18e8a578329124af3a95d1a0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\6301b92a18e8a578329124af3a95d1a0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780
- C:\SysDrvDT\aoptiec.exe
  C:\SysDrvDT\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvDT\aoptiec.exe

Filesize
2.7MB

MD5
6d66765bbd389bc1fbedc85a33958f8d

SHA1
90f0b02144d8d6d17341ef93c0254c95ab4b0bb8

SHA256
72609ed861bdbf9642cd235240a494cda27d0809d974578a81c9c802482a1c3f

SHA512
4e758868eca177e0b845a716df176655ef1ad18bb3cd4cbb1c466286c5f039d52ebac24303b8d44885104193cd22fb2b7c9b383b6ea115ac281ab98e47461526

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
f510fa1456212fff186ec3fcb78eae9c

SHA1
0fcefa6ac98aae41acaf6eb1e8fada333c0cb3e7

SHA256
8c59aa83b4e7ea8728d94d99aa7cd3d74f2c9358de5c1c58c2cdbfec91a9ddc1

SHA512
58ce82aa6087857f83fbcc7bd8661363e29b3dc29609168a46dc0bb3ff410ab6d51ef884aaeb9a6f76dc742e742601c4ecf3f0140d2d86b5cc39cf22991657c2

Download Submit
C:\VidOB\boddevsys.exe

Filesize
2.7MB

MD5
2fb9611bcf892ba9b4bc5469104fffbf

SHA1
c33c3d927e98d5c68590e6985d1f8c3416de7597

SHA256
b6aaa221e0c4209779df959de0fbd261b6942ea72b14622f5c9ff589a9f61ac8

SHA512
895ab14fe926896dcf488236af3c06d365372bc647a74058180707220d8749fbc98ffda951df4a59e9cd6af24c4f0fa92a6e96c97f9c1b8f02e497ca4db717d6

Download Submit