d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
Size

2.7MB
MD5

71699b8a4d6581b361f4f739be428259
SHA1

a99801a2db6c921471d030730acf8b482b4583b8
SHA256

d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511
SHA512

1c39b537900f2c9cb29952152dff0e3ea92d8993d742d7c93a101d0a4547ea8799477d6dac5f403cd03a073bc7d226589dac14fd3021bb3b56e269f5a75ecd01
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB89w4Sx:+R0pI/IQlUoMPdmpSp+4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3456	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4N\\xoptiloc.exe"	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4X\\dobxec.exe"	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
3456	xoptiloc.exe
3456	xoptiloc.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 3456	1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe	88
PID 1872 wrote to memory of 3456	1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe	88
PID 1872 wrote to memory of 3456	1872	71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\71699b8a4d6581b361f4f739be428259_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872
- C:\SysDrv4N\xoptiloc.exe
  C:\SysDrv4N\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB4X\dobxec.exe

Filesize
2.7MB

MD5
cc49766286d81d8753f7a1e40c80469d

SHA1
582bb5e720f9da8bdd7dcf2e5852a8ad12d24db4

SHA256
fc0857731e1efd607ef345291666fee1e7cc1fee989695ae3fefd2e398030dfa

SHA512
a45fa66d19babe6e5ab3e696305aad2c6763ad34afd822cd1152b74b359cd67229143aa1c5101714135040694498a732de5aae5638a1e0fe6814ef8997a49fd8

Download Submit
C:\SysDrv4N\xoptiloc.exe

Filesize
2.7MB

MD5
d054916bfb17e23c54858ea93b0146f7

SHA1
923f2ee39f2ec35430d2aceb3a31f6983a97bf4c

SHA256
c61a92a133daa7a3cf67fa005f904d1db2906b3b9bc4333a6234a6b98361b363

SHA512
5d4640282836004ecb49a62c64127a337c9af0ff3a36659f0fe40c3af7b00b5b601d92ea9034f44ee3605497a77db018d0d1546314fdab7b764f911741dcc851

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
5b1ee588983a379b54060505e5325b18

SHA1
a440d7e992509d53265fd8efa42fee610603743b

SHA256
e6f7e5fc596574a7850c820555cf362e9fbbb554cd5620ee3d419d2df30460d9

SHA512
fd4b61f6c583ea4572505ab07b446f567128f8ac59459cb65f474ab0361856f53aa1f80b315a6ae40eefca4385799079d3e1b0a06ed0e01cde2f349510f3ea1b

Download Submit