8bc6ca56cc010dde8bbb42910f42d6a25c8874a3f0634188b70f6b17000c4eaa

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
Size

4.1MB
MD5

0d492724ae99783cc9523089cbc10600
SHA1

206204c7c66082742ba86d794e04a6da89b3043f
SHA256

8bc6ca56cc010dde8bbb42910f42d6a25c8874a3f0634188b70f6b17000c4eaa
SHA512

fa68d7e1602d9a08b4adb1ed90636f76a760177b3b26c82e5d5c37a2be72e9749a428341ab5307eaf85f3330773a7d38cfe0c9c8c09d3b727e29e8ef17113f10
SSDEEP

98304:+R0pI/IQlUoMPdmpSpN4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm25n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3E\\aoptiloc.exe"	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB44\\optidevec.exe"	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
2668	aoptiloc.exe
3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2668	3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 2668	3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 2668	3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 2668	3000	0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0d492724ae99783cc9523089cbc10600_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Files3E\aoptiloc.exe
  C:\Files3E\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB44\optidevec.exe

Filesize
4.1MB

MD5
d64587f96d65882cd89a32165a70e922

SHA1
bf63e7c12957c7ccb98d62c557b78befb13a5134

SHA256
bea2a1b2efd8eef6c67425045dac943922b8a320f221f35dd6b35e240c82c92f

SHA512
a21a145d761b1d639ebcf9c25c84240f766c0048510cd6dab6c988d28325e27171241b5e3f830a4ebd83fc9975b11e8f5d576b7580a7a8303205355ec5d7dfc6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
ef69dfa704997b4c16a4fbb45953ed7d

SHA1
2f919a9742a090169ce8fd0bd96ed4b3fe502aad

SHA256
dcbde49fe94ea93a50157b885227632c9e3db7f4ca50c7968c6dd999e08b1491

SHA512
ba6d182144614f259828e40f4309ccaf40d18ed9bc64c9998c3e750fbd4d3473aeaa2c031925fb477b1d3ded9f3adb71401262625b5c836349b9104fc06d132c

Download Submit
\Files3E\aoptiloc.exe

Filesize
4.1MB

MD5
9b2a7efca4583f973767ef7fda288043

SHA1
c737900e6d42ea7a0285439f25bba56457379367

SHA256
005cc578009fd0bc8ea13f9cd6dbd1614c9bc9a0a5305138183e6dab846d0059

SHA512
a99dd131cf1a034d1a7237dbca1a9e2d424033df76c39a967a9278ab1f6b18ecfd366b7019b5d65afde33773b07fa45a7d0701b313786189c3b83bc25fd974b4

Download Submit