dfc05c2f6bb6f700a17faef4fbc8d12707d4fb804c7feb55afa8689d0d4122c6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
Size

2.7MB
MD5

aa117efdc85c63e8624ca86973aca920
SHA1

c0aef091b152216650e88d6b3397b4f2061a84c9
SHA256

dfc05c2f6bb6f700a17faef4fbc8d12707d4fb804c7feb55afa8689d0d4122c6
SHA512

170f998b2832132a4f022808aa91ff1c5a347782eaf338deab2725e1d018942313cf0e38cbeacb80a2c9c53595170e4c1b8ddded4d0579b397192b89f2058b14
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5024	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeY8\\xoptiloc.exe"	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxNB\\dobxsys.exe"	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
5024	xoptiloc.exe
5024	xoptiloc.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 5024	1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe	87
PID 1184 wrote to memory of 5024	1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe	87
PID 1184 wrote to memory of 5024	1184	aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aa117efdc85c63e8624ca86973aca920_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184
- C:\AdobeY8\xoptiloc.exe
  C:\AdobeY8\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeY8\xoptiloc.exe

Filesize
2.7MB

MD5
17b8f0c1fe42b11085f217fa17ded378

SHA1
0786726e9a30a7e94c119a7fe931baf04d34e479

SHA256
48fb8d8427fc41b3a711e05ae028a8e5cb7d5d8818a4b70305e1b62e30e907e8

SHA512
4576aff61d7338c7f3b4adc13704e80a68f08810e7671e64535b54dbf7fb4fe93b6db83438a57bc34701aaf045f0aad187d746c9b8e110999039e92b50ddbb11

Download Submit
C:\GalaxNB\dobxsys.exe

Filesize
3KB

MD5
3161dff010f251bc927e6e78cec9f490

SHA1
c2d8e5e54300810e861e8bc27b869b3e8053b8f6

SHA256
b1a15ad4b5bb8edcf1808226895d8dbb5d7a9b52f7859584e51dab938991a13c

SHA512
40a22a64ff72d4b9528f24e1cc4a5a59e79cdc441d00f9a9853cac1a3cbde37f264ee95d3fac212e89beb62a050da325fb2191f881422f57ba38ce13876e4679

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
9efd296502c57b220af2922640f16af1

SHA1
7f9a56c63c438ca0a4426d4b5cc130cbcb716e02

SHA256
80c3f31f1b597b6961cd2c69df3909e67c5a32597f5f1674d0f8776029073966

SHA512
665e464e1df093834a630304037037fb6ab591d63ded06aa7855ef07e50581efba20593df3fa4e5129c6b9b71ed7b578748ce6a31563f3dcc898187628b48484

Download Submit