773d9f3843f0e8662983cf3d498705f24492ebfebe627bb0c3306b484a387af3

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
Size

2.7MB
MD5

1ff6f59bfc876171a3dede8c6a1468d0
SHA1

36b7e0a8747c88d0cca859c24169e160941700cc
SHA256

773d9f3843f0e8662983cf3d498705f24492ebfebe627bb0c3306b484a387af3
SHA512

2b0bf9ff7ce3a9a9ef6596fd8dcfaec98aa09072f5240872ee2c975c6bbba20bcd40020fd41b9683a3a237fddc2a93bb810210aa36cb69c52724b1a5233e1da1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4252	devoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv0T\\devoptiloc.exe"	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAG\\dobaloc.exe"	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
4252	devoptiloc.exe
4252	devoptiloc.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 4252	3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe	88
PID 3780 wrote to memory of 4252	3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe	88
PID 3780 wrote to memory of 4252	3780	1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ff6f59bfc876171a3dede8c6a1468d0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3780
- C:\SysDrv0T\devoptiloc.exe
  C:\SysDrv0T\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintAG\dobaloc.exe

Filesize
2.7MB

MD5
9f065dd871595221da68de99736ead8a

SHA1
d70a2c624a8d8a2bd76ce9f497d75c72aa1f7a6a

SHA256
2662a589e13cc9ba6dff2f07d6f9335797a390c7e2e3b4767b749f681befebab

SHA512
b5977b28fadb1c71fc12865fe4f66ad46100b56c1cd802df42e5e99d6ac18f5c2bd57ee23757e00ed9eee6948be50f94bf2517ca741b46f9b7a47b3f2767aa91

Download Submit
C:\SysDrv0T\devoptiloc.exe

Filesize
2.7MB

MD5
7c8e25bd52970041de72c2825c1fac78

SHA1
fc4ed375b685256791db5cb72e1c7ff9316d4d35

SHA256
546662142dbe1bf20ed3869715a1474e60ef0a2ba9408331df141de93aaa99cd

SHA512
3e427082deb4d35055fff6f1f1310ccb244acc2c3a03dde0528af61df1b6958927fe0523e4a28e1ec36ae24e5b0bf97e82f85a85fb9998423b1b52c39a96690d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
25bc16d30baf68cca66a1a0b8385f00c

SHA1
ac21092b1317a3b8376c0554a7fdfcfda3df21a0

SHA256
5c48df6903ad933a065b672f2b8003b9408937cc0c85600dab3e533cb1b8baeb

SHA512
a39c9d0979728e2e0a2ed4aaa78c43d8c50695c803494237470d345fe2801e16876bfbad186ca9439ca63130ed7bb1fd5031fc80bc777620a577384e4d7dc1a8

Download Submit