8de039bb23a5867cd343fad7dfbcb0e2b53637a1b45a156da268cc3f3001ad0d

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
Size

2.7MB
MD5

3359a0fb915826b1ff34c0dd6dcafc20
SHA1

018722e3b6c0eb503375e844f25fbc71f454e5fe
SHA256

8de039bb23a5867cd343fad7dfbcb0e2b53637a1b45a156da268cc3f3001ad0d
SHA512

5d9a1af9c4dea5133d6dd4ba6663a529fe612e3205c5c2962cf98bf5e4d535493f780889f7d7a1957ad13cc776acd3e41a11af8aba0d2f908d7f7e3d98b0dd79
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB+9w4Sx:+R0pI/IQlUoMPdmpSpI4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2128	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot3V\\aoptiloc.exe"	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintD2\\dobxsys.exe"	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
2128	aoptiloc.exe
3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2128	3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe	28
PID 3048 wrote to memory of 2128	3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe	28
PID 3048 wrote to memory of 2128	3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe	28
PID 3048 wrote to memory of 2128	3048	3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3359a0fb915826b1ff34c0dd6dcafc20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048
- C:\UserDot3V\aoptiloc.exe
  C:\UserDot3V\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintD2\dobxsys.exe

Filesize
2.7MB

MD5
6006eeb7aa1c9873276d9afcccb4f6a6

SHA1
51f1ca1647f81307bc7fdec71a4453b8ef62ea88

SHA256
de244e9084acfc84bf178458645697e1325af24363e2febeb4d4a9dc0f62154c

SHA512
ac98ce87462893df4972a98c67d141c53961bef00bf57df7d0a3fa73eb49f26849c1cbf9ee0d2deb9442978bca3a6cd58ab851fcbb667a2be6e77765c465977e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
188B

MD5
cfb9be2d66c3145590daa6e10ace1b86

SHA1
0a7bda34045fb94d6f5028829e21fc02caf6904a

SHA256
352f105f751e6bc3205c9b88aa20308bb9a0d252b87ea93aec3648d4721e025f

SHA512
5df4f916359ed25d5339b1bf3fde1ff879bb980338717c9a3ccdaa5e033a2dedd3d4e4d8096bc1fe392f3d0ee345532dab7d9b2dcabe49b3fb6a6a359bc65992

Download Submit
\UserDot3V\aoptiloc.exe

Filesize
2.7MB

MD5
899871ea5c4cdc3f12f42c0c14979ddf

SHA1
c59fe5aff17ade3ebcd1478b67f2c70cd9953cbf

SHA256
f6225d7332f34b445261b9440d5e757ad9a208165a66ff6f87de8cca8618ccca

SHA512
73bd9090de57f84b10c0e66c03a4b010ee8dc951005a40295fae99f7b557e4a68ab11756914f63f3a2cad43e13e4f4d72bd60d361eca7cceca06b2a130ac1824

Download Submit