d063ba16829fa4e21cd9f1661cc14cf96aae9f1d5db167a2122d2716ff8ee17e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
Size

2.7MB
MD5

d2eb6a6a1810725addf4aab74247e4c0
SHA1

64605420c88800e071ed89b7743b55fc2bc4fcce
SHA256

d063ba16829fa4e21cd9f1661cc14cf96aae9f1d5db167a2122d2716ff8ee17e
SHA512

a9d4f18ad2c640a839c5c8f1489bdd362fba0b1e4584d6fa07f911154def8aedc5494071def52a4ae39d011c1a8b18af44345976e0ca15b874d2fddb57f49b1f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBR9w4Sx:+R0pI/IQlUoMPdmpSpt4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocY1\\xoptisys.exe"	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZO\\bodxec.exe"	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
3008	xoptisys.exe
2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3008	2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 3008	2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 3008	2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 3008	2240	d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2eb6a6a1810725addf4aab74247e4c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\IntelprocY1\xoptisys.exe
  C:\IntelprocY1\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
2b83390b9a4ee5bb1a8be4b6c21b3f0e

SHA1
297e6601145777556c31a410c43d3c491d816380

SHA256
991216d537294beac46eb1f8bda38362be049b4c949ab1b90d90c62df22c7b21

SHA512
ffe7791243346d6198a21e4cf10ed58cdadde846cb4d5cba9a583e511fbd0d6fdec14d61e487c984b7cb96f6f57dbd234c955fc219968f116def6660185cfb5f

Download Submit
C:\VidZO\bodxec.exe

Filesize
2.7MB

MD5
1fb46864170895543deffb653842de15

SHA1
f70fc945deee82b9218c9b8a8f711c49d3eb34c1

SHA256
d9112acf80428f48354b2a9774ce461060e3560b12b844d8558c17f2e84a8cd6

SHA512
1c3ae8cf598eb5d2b27b93a8ad6627c4778db493021f42924fcbf855be581d34fea8dd2da92f10739893ff632edee9448f033037e022adcdce2152f9353cd6b3

Download Submit
\IntelprocY1\xoptisys.exe

Filesize
2.7MB

MD5
98281b31e89d6caea1ec12e8fd14dd75

SHA1
b85b161c6787bde8d3904f2bce09262e5131bd18

SHA256
afc64369a08db763f2bb070c966d264eb8df5b0505e7d3300cfbcde7cef7fe14

SHA512
64a9680ff0cc073f39315fdec38f95a465142dd0b006a5c8cd47c8ff29a976ec32d4b76d75f24a4cc031c9c2071374668e65567fdcea15b2db97d07294aad345

Download Submit