7c733557f2075c5f5b114cc480e891a83df304afa37b98abba2debce93681ee6

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 13:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
Size

2.7MB
MD5

d39a264eb5405079e0449878b51a8ab0
SHA1

a8f90f5bb262daeb5d2662072efeac9661f61b9c
SHA256

7c733557f2075c5f5b114cc480e891a83df304afa37b98abba2debce93681ee6
SHA512

03f13f70ac642ef6084f4bbbc77c43b1cc8d640987f67a9591d9f73fb905bc027cfc503f017f294304c878083ff2d6e117219317d6d8b25b0f3529f737063be5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBw9w4Sx:+R0pI/IQlUoMPdmpSpi4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRH\\devoptiec.exe"	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint84\\optidevloc.exe"	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
2748	devoptiec.exe
1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2748	1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2748	1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2748	1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2748	1760	d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d39a264eb5405079e0449878b51a8ab0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760
- C:\AdobeRH\devoptiec.exe
  C:\AdobeRH\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint84\optidevloc.exe

Filesize
2.7MB

MD5
ecff117965b0baf5621b12eaccd9516d

SHA1
dd5b19372e7498ab41edb9673e5d92be10e47d50

SHA256
858222ec7fd3b291e09f3ed96802470415172a8899d53a2ed1c4e55cc29e725f

SHA512
7931e678d8431524dfe4d3bda44b498d6310b4f9e0830dc60c54a4aadb7a1297a9cb975a6698c359af1e264e0ffb7f7fa885f36b939f6b1888337d41d2b9cfc5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
ae43425701e18a1d3a45ed2edfe27237

SHA1
e98c5f99e1eef3d9ba652c6e9cf9373d3d7609c9

SHA256
b10887229e4c206034934eeda377dbfc7436c837dd915565f507568bab117a2b

SHA512
2774e798c64856387f470327a3703364fc66f8bcf2fcab149411336fa8b844fa5ea995b4258ca945b08c14d87dabcaf2b4dafc6a38bcf3cde1e45427c5221256

Download Submit
\AdobeRH\devoptiec.exe

Filesize
2.7MB

MD5
ef4560f2b1dc3ca50689605722ac0cd8

SHA1
0bc11cc20ea54ae8e6a3178a3a0ea25feb537bba

SHA256
7b2d7aa704aa8fa5ef53a115b6cca6012fb113d4255598238b9636c12cec5c20

SHA512
8441e1c07af205755280964673a6d5955635e90e355e8cb90da0298710f85581f44568083f7a4cbbfe3fcc15c2efbaa42f81cb6651e7d709fd78561bf5649b93

Download Submit