9434467caaa4ffe6c55ed04a605bb968abdb25da2069bc12971164a9490ad6a5

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
Size

4.1MB
MD5

295e4bbfc180f36f9c69e446afd9de10
SHA1

280e0223b5c0b95de7b48a21220d1c0112fca96a
SHA256

9434467caaa4ffe6c55ed04a605bb968abdb25da2069bc12971164a9490ad6a5
SHA512

888bf1f7b383b09a633b8909084c2da1eb815dce04183fe3fafb31940edf1e5ed2295d81c5b5c2cfd437f09c371e42ff6676c7beacf9acd9cd063597dca43b91
SSDEEP

98304:+R0pI/IQlUoMPdmpSpr4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmE5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	xoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7J\\xoptiec.exe"	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJM\\dobasys.exe"	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin"66 ':'"5'3\4-"\)8595,:"\4*5=9":'8:�+4;"85-8'39":'8:;6"sysabod.exe	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2360	xoptiec.exe
2360	xoptiec.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2360	2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe	85
PID 2152 wrote to memory of 2360	2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe	85
PID 2152 wrote to memory of 2360	2152	295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe	85

C:\Users\Admin\AppData\Local\Temp\295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\295e4bbfc180f36f9c69e446afd9de10_NEIKI.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Intelproc7J\xoptiec.exe
  C:\Intelproc7J\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc7J\xoptiec.exe

Filesize
4.1MB

MD5
7264bd5537954b0a7258c6bd43e3a1d3

SHA1
d2663f9f7f7cb792f33c64451219b7a8dcd49b16

SHA256
43f4f170ba21c9d6d07a5f1f24d813634425c9d24db0feb4768e6d6397739d3b

SHA512
290651b285ceecde8240ebcf0714c03e0efc45768607989d3e70eff4ed948166676312b8843b384b3945593754597be1d2cda9e88bd72aa59f8c8153634654bd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
0618e8957df53c440b9d2b0e0087db99

SHA1
61892e6124d0888cd523cea9b76c945b9dd62367

SHA256
ecf2566738fd6699f32b44b71f9c6cbfdd87eeb5adeab61464f32903beea314d

SHA512
7e2e91bf831dd79ce3430c845a3ef9565501f46528875961387b4a0fb924ec13cfe674b3290cd8db2eee0ce3c161816989c1aebbe75545541fd800648ba43ef8

Download Submit
C:\VidJM\dobasys.exe

Filesize
4.1MB

MD5
38f69db49f40afaea556ead2ae9cb1ab

SHA1
8b941528994c76976c44b6a59580d0128e32508f

SHA256
f04513a72d0e46fc16797416e2748cd2e585ffb62e89f4c050f40afa27e1b9a8

SHA512
d10d0cf685fb8aaa0d242475fab264d46d62e147b020ea31b619217f40c3ab214496c6fef03dc22e07ebae406458a55dadda8b23e7c4b7ae69a4cec7ec480a35

Download Submit