02065445529402fb2598248882e0b1c30ba400c16acb5615f7b113f65a05e20b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 15:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
Size

2.7MB
MD5

0b46259ece9cb3b9427d1c2bd2ff5dd0
SHA1

e7ac1d39c7e1a6f685ab699191308275adc2a52b
SHA256

02065445529402fb2598248882e0b1c30ba400c16acb5615f7b113f65a05e20b
SHA512

cccaf1528c9c555bee8078775d6fcb2dc26d0439d16250b250db415a857d9e7560b00e1e9c35204ccc6dd6c771428ab5eb533ad5029a9569dcb4b7aa6ffe6183
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4Sx:+R0pI/IQlUoMPdmpSpF4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2184	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxF5\\boddevec.exe"	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files70\\aoptiloc.exe"	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
2184	aoptiloc.exe
2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2184	2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2184	2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2184	2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2184	2128	0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b46259ece9cb3b9427d1c2bd2ff5dd0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Files70\aoptiloc.exe
  C:\Files70\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxF5\boddevec.exe

Filesize
2.7MB

MD5
3ebfa9229a13fc35ef38eca93c882af3

SHA1
d2e068f41acad2fabb419d3643f35e8f4d861d86

SHA256
b7ed5cc1d9314a4517d396b7d24b4e30ee5b124c5de2d1bc0785281cc973efbc

SHA512
5c7c6acaf2de1cb720ae02cb4544cb9c47b58fff8184891707d85dd262023a7d28f686c95421ff4ba832c6754aa49c8b000b1b2d0451d2cedbe33f89d6c1e399

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
e78a5183602652e16297028af9d7a12c

SHA1
0c136207c39a89bda80f766162a999cd4402a10f

SHA256
45a09a9615a846b41ddf043a32a8087db3623b922267d0ed574372e5c9fd234a

SHA512
49cf58c755b777969d19990fc7a55f3c461c9ec864eb39f0fa05541321a71445784aca71b9a8bceb73d9eb20d8ea30dd923158c1f1c045eb0a51b362f3f7f55c

Download Submit
\Files70\aoptiloc.exe

Filesize
2.7MB

MD5
a1507c5633f96ed4af2b6d8c9cb10f29

SHA1
feb223f9614fc80367e5d5495c261977ac482b69

SHA256
01735667acf1ef3a76918e41738583caaf7f6bcf60f09772471f93abf364c414

SHA512
8c08ca1223c6ce5b29a09ba4bf2d2b2aae6462cab6b1633ae423970e466b2aab4faca6508097310c224cca9364d6affa7ef2e6d764b265aa34f1f1ab798d0c7b

Download Submit