1d97fe03b2dac172634c4efc127bc0415c3ec067e25d98064d2cd245395f0105

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
Size

4.1MB
MD5

707d05ac5ac0a8094439b4c24c140d00
SHA1

226a03937077a0c10885e719645da7631c144a43
SHA256

1d97fe03b2dac172634c4efc127bc0415c3ec067e25d98064d2cd245395f0105
SHA512

7c5f6773ad725a8a52a956167ef86c283efde423c39ab8dcca83dae77784b4ff0887b8f1ba5197e35c09f8aa09beb83999360180c6c05402d36a52357897116e
SSDEEP

98304:+R0pI/IQlUoMPdmpSps4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmP5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2976	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv06\\xoptiec.exe"	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBSW\\dobasys.exe"	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
2976	xoptiec.exe
1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2976	1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe	28
PID 1660 wrote to memory of 2976	1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe	28
PID 1660 wrote to memory of 2976	1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe	28
PID 1660 wrote to memory of 2976	1660	707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\707d05ac5ac0a8094439b4c24c140d00_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660
- C:\SysDrv06\xoptiec.exe
  C:\SysDrv06\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBSW\dobasys.exe

Filesize
4.1MB

MD5
3754962b6954fd9e20b402140d193fa1

SHA1
66ed4a3a33af854fa34a174d095fcf4ebc8df68e

SHA256
b9ed40571d0bbaf4ed19d8d0b2fcced7fbe62df513b0d4432a659d0babaaf464

SHA512
275db3dafedd8aa9c715c9e01118aa315622a6f11cd49c943cb212ba7453a2f793333edb1a39095721dcc05b3251532b99ecab887ad8c557dcd5a1d1d7471e6d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
e41af1ff6b30a2703f418249caf3d1ea

SHA1
8eb31256be14461764b92d3c57d4a1920a5f140c

SHA256
427b5a1f085fb8261b2a87c59246dbf66672fb20fb27659ced3e54964fc0cc40

SHA512
f121e297b67e56c1baf3a4905e0d16aa35c7a7cb5fd4f66bace2a3f2b4a29cde45e90b46a7aae3568c7fc21c81bf9658b0e2291da6082a5833f64d615648e032

Download Submit
\SysDrv06\xoptiec.exe

Filesize
4.1MB

MD5
e625455022e663f759d199f1015e182b

SHA1
a5535bfd92878e34e4c0786cf98f457bdcb1b22a

SHA256
d92ee524e4c4a2e56b25a150463a034c3704089314f3fedb503f27d06247df7c

SHA512
fa8def3cc1832dcb4bbf9a2b0836c1879a36f1a789a841d99c29e3fb928e479312c4245d096b4ab1e83405fd5c0aae639e56fa617634a87190184883e58a21c9

Download Submit