47a99a3918ff965a781b670e0e0dd89b6d063fe161c62bf822ad18651235dc00

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 03:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
Size

4.1MB
MD5

8cda22b180869f21313caee0805b59a0
SHA1

bcbcf61ac4e120db028dd1ba644d286d2a28952c
SHA256

47a99a3918ff965a781b670e0e0dd89b6d063fe161c62bf822ad18651235dc00
SHA512

9bb9359353538e6752523a5b145158d0385edb1bc8dc2ef34a54fe591d01c2395095ab4de87168db424e441d542f4ba1318cf2af580dcfff15ceed857ee14c03
SSDEEP

98304:+R0pI/IQlUoMPdmpSp94ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmq5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBO\\aoptiloc.exe"	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHC\\optialoc.exe"	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
2468	aoptiloc.exe
2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2468	2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe	28
PID 2420 wrote to memory of 2468	2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe	28
PID 2420 wrote to memory of 2468	2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe	28
PID 2420 wrote to memory of 2468	2420	8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8cda22b180869f21313caee0805b59a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420
- C:\IntelprocBO\aoptiloc.exe
  C:\IntelprocBO\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZHC\optialoc.exe

Filesize
4.1MB

MD5
d8f264fb4dee393d26efc8985ca09259

SHA1
87f917ad7dc30c549a6e4a1fec9315942e6217bb

SHA256
f50e024ceb341341a350226fdea2bb45d17192fa4fdca80e0b89aed182cf1133

SHA512
952e94940350aa96e81761667d0c72cfa4152f9e049c7f94ca44015f7ed8e4f41ee04aa35794fe7eae8ce1e8a8277475a90ebd48d8036dd03f412bba42619ffa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
9689736f2f21860451512ce133e5e7a0

SHA1
a039a26a13f64a1abfbe1f627eba9c116e07f74a

SHA256
9695325b51ea52e82f10e09dcec489a0b81762de1d5e40f00dd16fbc78ad653b

SHA512
b35427bc6778bd737364cc062985aa11c60322ff5c3fd2fa715151a0e1ac3bf2550b483781410014167e0a77343d252078cf8b242761ec4b3155b305c3581e09

Download Submit
\IntelprocBO\aoptiloc.exe

Filesize
4.1MB

MD5
d24542f3fe8e008b4830a129ae7ee1b5

SHA1
65a9892f20151fc788f1c8631b0e33f49793cd9b

SHA256
f789a42fb49c6d34437fd0e786fe3377045765aec5c82505265b945c6df77c9b

SHA512
5482c5a6812b2a633710a56a49cd2d53ee1e099044370ed2808ca68d76de39be6abc575baf18e27e69b5839ee05fc19925bfec090e1a60eb29f9aeafb45fbc1f

Download Submit