f961e0e30956481f55ca5c892b2ad479770c02eca3f84dca50535ddae539cdc0

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
Size

2.7MB
MD5

1b9233b10bb667b0c131aa55f4f23420
SHA1

f0b608498f178f80e723f1d5645d47242e8045be
SHA256

f961e0e30956481f55ca5c892b2ad479770c02eca3f84dca50535ddae539cdc0
SHA512

a6a8e6495970452c9a19ea4b48ea11c0211a360fadce53e3bf3a7c73f83a536da02ab72cd69a4f83d866f6f83d8aa98f1c2210c384396579f2e31f22bf776506
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB99w4Sx:+R0pI/IQlUoMPdmpSp14

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2224	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKW\\aoptisys.exe"	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5Q\\dobdevsys.exe"	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
2224	aoptisys.exe
2224	aoptisys.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2224	1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe	89
PID 1076 wrote to memory of 2224	1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe	89
PID 1076 wrote to memory of 2224	1076	1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe	89

C:\Users\Admin\AppData\Local\Temp\1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1b9233b10bb667b0c131aa55f4f23420_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076
- C:\UserDotKW\aoptisys.exe
  C:\UserDotKW\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax5Q\dobdevsys.exe

Filesize
2.7MB

MD5
4ac1a8040604c5b8fe881fdccbf8030f

SHA1
dab939603f15478f370a8672a5c46d1f1b41a1af

SHA256
a4124f89a94ac1cb30c1592763d8434112dc87ec6b1796397cb4958e86b920ce

SHA512
6658da1410c6fac65d16f63ccffc0b5d0adab435660e2c292e8472b1e6403883ebee467f5a14b55bf93c886b77e229cb471c26cde1ad022b12788335b87dc389

Download Submit
C:\UserDotKW\aoptisys.exe

Filesize
2.7MB

MD5
1e629be350baa80126ae0bf39ed5c065

SHA1
a0d4b2c7b7948115172952880fd5e17abdf6ce96

SHA256
8aa440bf00d9472c8bf76dfd97b6fb6a98d4fd27e3cf29e6b66acbe23c244f20

SHA512
efc9b404ccaba2ab10ea78797b6365fbb26638ddaa3bdaadaa562c339b8afaa865a67e6cf951fe501cfeabc2c34df87915609f866d3ce7b3d7d1a57352f12abc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
195B

MD5
b46425236c978a0235b1cf60f312001d

SHA1
f8d63411bf60e0f80eeaf137000ce42fc21b7f35

SHA256
3606cf34af47ba4bb123ff59c67cb1fb8f65bc21380414edcdcba9412278a6c3

SHA512
da91de446c9715f8333b6bbbe822718ff1c986f615af71e65f6da2275720966f9a851dd74c004b4df3b0fe40afcc7116004998734f853ad9afbb85505c876382

Download Submit