054a8483351e987c0a0aabd2d7e00741e90d48973e8662fb813346efccb2e88d

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 15:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
Size

4.1MB
MD5

ec60a3bc9a1ad7fe019e4aafa6f7e900
SHA1

459f640d706dcf08fd27254d05d035884513364e
SHA256

054a8483351e987c0a0aabd2d7e00741e90d48973e8662fb813346efccb2e88d
SHA512

1d91d43d9b436f553e00e763d7b0770aeaf7db601ea15b06f81fb9b0587d9403347c6b124aeaef968b38dc559486b21b615dd2a15c25d637559dcb8903ee4a6a
SSDEEP

98304:+R0pI/IQlUoMPdmpSpl4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmO5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2X\\aoptiloc.exe"	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZH\\optixsys.exe"	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
2160	aoptiloc.exe
2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2160	2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe	28
PID 2192 wrote to memory of 2160	2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe	28
PID 2192 wrote to memory of 2160	2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe	28
PID 2192 wrote to memory of 2160	2192	ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ec60a3bc9a1ad7fe019e4aafa6f7e900_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192
- C:\UserDot2X\aoptiloc.exe
  C:\UserDot2X\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintZH\optixsys.exe

Filesize
4.1MB

MD5
1ffca7a1470781db1a19baf4592685ce

SHA1
9ba0d0f49b2321b34fd55b8e09d56398ad41f9d7

SHA256
3f54054ae97bfcaf73169d2a769d1eb835bff94910b7dc44c63964088e2c0397

SHA512
30409551e8bc2c69caac1f28b69e470232bb89f9fd2e8930cafbd4a2b1df8e8eba12c90dbbf12b10eb5266362662392f2ab6c04792a43fcf88a337ed7546619c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
c38954f69774ff4bb75509e469acd763

SHA1
0f68c17c7f8a85949368ad84bef65fc0011c3d80

SHA256
b6a0296f226e028a261aaf5ca3003f63605aec75c8d989bf1130d622d2ea79a0

SHA512
203e98129a14a9ae17b520d7420225983217ff7519d235f3cdf16f6be0e8b956665dbcdadf6cc483f97b28298f50a8f9f707716f8a11fab2cfb954503054a497

Download Submit
\UserDot2X\aoptiloc.exe

Filesize
4.1MB

MD5
377992c48ff4dcd812fb14a0accc3a62

SHA1
07bc40d5c51d1034fbc8758ca8f9961b04b163fe

SHA256
414e865638f398c4e8cd2d1786aa3c989f335d1eda59ae1ddb1f836d107fdf0d

SHA512
7b0f68d161aeff5a27f358f4e8ab90709d6bd2c981b9969fafc857e9bc692b72e5dd1f42c831e51cb8a52850b5a0bf5923fe6549bcbf70883fdb31d5aecee327

Download Submit