66eb57856fed9eae04cf8149f941ba9106666ab12229fabdf319dac87467eb0f

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 20:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
Size

4.1MB
MD5

4b9aa8adfcb4b933bb7b47fae2cb16c0
SHA1

bcf7cbcd81c54d6b443f97ba1938f6c049cb6165
SHA256

66eb57856fed9eae04cf8149f941ba9106666ab12229fabdf319dac87467eb0f
SHA512

08f55893226b166507929306f1633dbc0d65cfe7668217578d13670e6aa4b0855ecd6db57cc524f941feadba096779d44c78608419d0680df64887e3dc6e5573
SSDEEP

98304:+R0pI/IQlUoMPdmpSpK4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmJ5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3004	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocNS\\xoptisys.exe"	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV5\\dobdevloc.exe"	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
3004	xoptisys.exe
2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3004	2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe	28
PID 2172 wrote to memory of 3004	2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe	28
PID 2172 wrote to memory of 3004	2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe	28
PID 2172 wrote to memory of 3004	2172	4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\4b9aa8adfcb4b933bb7b47fae2cb16c0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\IntelprocNS\xoptisys.exe
  C:\IntelprocNS\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxV5\dobdevloc.exe

Filesize
4.1MB

MD5
8342042bae313eef442f19d70905c052

SHA1
188131cac215baecec9e719e05cfb1fb109a6658

SHA256
4bb5cd1caea6d27abb964396ce436a4726d3e04834a16bab06079f44786213a0

SHA512
04f56284cbba70004d0502eb1a3840fcddae38aa359d575ae4d65ec4627351b60e1ae6bf764c6882e29df04743082491e09a0f7777d4103f81d4740b0bb223b0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
687bbc2e9fd41ed504280bfc79c653e9

SHA1
ca398c85e39b3e845ee657dac86456513993b1ad

SHA256
9abe255b0609d2b1dabc30186a16f3f181adb3959514d61d509c919a58f3613a

SHA512
3e9125b7553ecaf31098f470ee105e394a8936ae9d6957044551570f964411df001c6570bdcfda4938f3964ef383d21774a943094335ba42093a7bfb18744066

Download Submit
\IntelprocNS\xoptisys.exe

Filesize
4.1MB

MD5
5fa3e9b759b2ceeec1ae3aa9d7799d57

SHA1
5843b89384713a81fb4fba569842a04e4e4826c8

SHA256
18a4e0030e7225ac3fb73895e0473f60977da6429498cebfa0d766b127211e66

SHA512
27f8b21a9655789c9fb32b5e86e14cde5280037622ebd7d0be818ab9ba4ac142e690b591ecae667631b00151feea3767f5a4072424b3543a6b8bae0acc0250f8

Download Submit