82c17157a26f02b8007afb7f8f85f9bd461b919653adb199cbe08dcac454a758

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
Size

2.7MB
MD5

96a36cc0875fcd74c888ea78a9a591c0
SHA1

545b3ee9c269d4b05a575c0304c0ebd4a29a9b16
SHA256

82c17157a26f02b8007afb7f8f85f9bd461b919653adb199cbe08dcac454a758
SHA512

47cdc4389c523ffa1c76998108800c5f18da32275c961abefefc80306946994ac0032611c2fc28924a63766044cc39572d56e535209adad663499b6e1ebec347
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpK4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4192	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKW\\aoptisys.exe"	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5Q\\dobdevsys.exe"	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
4192	aoptisys.exe
4192	aoptisys.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 4192	908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe	87
PID 908 wrote to memory of 4192	908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe	87
PID 908 wrote to memory of 4192	908	96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe	87

C:\Users\Admin\AppData\Local\Temp\96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\96a36cc0875fcd74c888ea78a9a591c0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908
- C:\UserDotKW\aoptisys.exe
  C:\UserDotKW\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax5Q\dobdevsys.exe

Filesize
1.9MB

MD5
001e2cd14fb4b1825ed8fafc4a1a6471

SHA1
692ef134c30e1135f7200d0b79bd0f58acab4d0b

SHA256
812cd6b7dcda45a05e625f2c9b567e2ac2139ae7ff4b143a8d715ee406542831

SHA512
c8cd2744f247eba0cab1b775141d9706b64769149c6f936c72191c9ee43d099f45c7a9263bedd73ee9272f4827d8ec6d355b4d1abf7202a7bad37386736a2f20

Download Submit
C:\Galax5Q\dobdevsys.exe

Filesize
2.7MB

MD5
9a7471f1ff22fafca625a8e35eea0746

SHA1
1875bff0aaa668c8e275456afdc930223f6e0e06

SHA256
ca510039a13fbd7da9f359a6e2b5f683d91ccc68c55ff86e7f9ad1bd2401b1ae

SHA512
2ae24839d8481071c7aa449540f233a86449fe4caba21ff9e82d573e753a8857f32f31f5548fe5d78e305c25360d05be490b9fe107b688c8d884e39af9538075

Download Submit
C:\UserDotKW\aoptisys.exe

Filesize
2.7MB

MD5
5b88a5a971a6033307bd1e61c68f2c10

SHA1
262849efc95c709dd7cc23d9c9514b768d6df967

SHA256
1203359174fdcc0f273dfebbd6ce32799f0dcd02caa4a4f85945d3e76b438792

SHA512
5e4ca09d3355635f6124d8d0a375a6ddf6cb863e320a3a46e8888b03f117f1a36feddeeb0232c2f08fe130c54c9ea31d30bc3de8c07e32a5ccb018342e4cb9fa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
b810a66fdabd8d191318e442f80aaf4c

SHA1
c150224363a9ed978d3f52a049f584d732b08c33

SHA256
0e0e72b9d8ca766aa28596184732031bef3dcc3c7484ddeb0a0d4a937fc74e8e

SHA512
152a1f91d9a1a265f0694c14744eface9ba882b81443685325430fe7320644c9ed4438142c53cefb61406f86dc8338650835ed85d2791a12d42ec7c57d4128ad

Download Submit