b139baf987daa555d278e009e018aaa1ac3f671de4622d4ddcd42b3e737ae8e5

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 17:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
Size

2.7MB
MD5

a1f78f4eefcc590b864e7c2cb2342d70
SHA1

259b61deca61bfe062328cfe40dae6d6ef41ff55
SHA256

b139baf987daa555d278e009e018aaa1ac3f671de4622d4ddcd42b3e737ae8e5
SHA512

803ba5cfeabcc8dc6a9a06fee0cd4058c40e95586673c13c4b836131dee0e0f8e0a1cbad30bece8a1384f3637ac54f5cfb22fa2939eb6a558864e78845f08306
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpn4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2252	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvX2\\devoptiloc.exe"	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAX\\bodxloc.exe"	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
2252	devoptiloc.exe
1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2252	1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2252	1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2252	1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2252	1868	a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1f78f4eefcc590b864e7c2cb2342d70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
- C:\SysDrvX2\devoptiloc.exe
  C:\SysDrvX2\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxAX\bodxloc.exe

Filesize
2.7MB

MD5
c375c20a3d01062ac86cecfce1197d0d

SHA1
b6e289a69d924a315e3b6a295c16325710bc4c4d

SHA256
ebc3a263699d442740b36894cbb196d1297ab9c7e98d8c43e1081bf60a9f6536

SHA512
49bb885f212a12a35846154169470884f7f10e943cc48bb184cd14277f4c446252d24f865941bf02e1eb6e2e9968e12b5a4c9e3eaa69395349aa21443ee7d2be

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
717b45449844827025f520f076236047

SHA1
80e4102b55acc8eb41216cdfbef7de7b9d925d54

SHA256
2522774116c6d0cb0718246d02777d585c3172c92488a5527a8a5677ba4aaea5

SHA512
22fa8bbe1821d2ebab14673ad3944de1cab7430e2939aa3ac550ede1e9ea773ff4e18fa2c307641b7f557576fb2f68265952a7e388069e9a7925909b75ff7a09

Download Submit
\SysDrvX2\devoptiloc.exe

Filesize
2.7MB

MD5
58e774c32f131e208b0f575b9a1b30e7

SHA1
7ae256e127c6b369892e4e0a1254baac76bfaf92

SHA256
2d0e220d8d42471c58c59d3fecd36fbb34bffc96f4b1e803cb265bb2c773734e

SHA512
e86e9741a1c806b10ccf0ea348823588bf16df7c641b56543009230488359e9dffad03754970c488820f1fd75ea8d6e687efe8df6d0010b8c5eb2544e945b9df

Download Submit