5282eeee6c03e653a31c2535eb48e38bc35ed6345e85f4fd168b69a0484a63be

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
Size

4.1MB
MD5

8b6ce04d697da977035528add36d9900
SHA1

fb859573df0fccf08d044b45f5480a531d5b4c42
SHA256

5282eeee6c03e653a31c2535eb48e38bc35ed6345e85f4fd168b69a0484a63be
SHA512

7d939012e9695009a9a59c84d87e49bea77a1d2af771bd4ea21698b3d81488cd0d8a0b1373475e649fe2ca71a72423a81a99ab4ebfffefbbf026024f35ca1cc4
SSDEEP

98304:+R0pI/IQlUoMPdmpSpq4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm55n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4680	aoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZQ\\optixec.exe"	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7F\\aoptiloc.exe"	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
4680	aoptiloc.exe
4680	aoptiloc.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4680	3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe	86
PID 3652 wrote to memory of 4680	3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe	86
PID 3652 wrote to memory of 4680	3652	8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8b6ce04d697da977035528add36d9900_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652
- C:\SysDrv7F\aoptiloc.exe
  C:\SysDrv7F\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrv7F\aoptiloc.exe

Filesize
4.1MB

MD5
aa82d495a192e20725f5cd6cf516e123

SHA1
6e2d3627bae23e8ec10c168fbc15f7a64de34331

SHA256
9bc01094f74e661c28022ed778a4a106e21d2e82921f52eeb5c12d39d7ea9568

SHA512
09d262f5fe23ee0523d0cdbb297b88ce05e78f91b662cd8325004cc8e41541858f635e86706790851feb37ae2539b52427dd4e98598963a4da4d685634817396

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
2d1ba4c0bbd09cef8a42bf07eea56bab

SHA1
4f6251a3c5b5ec99bf84e4636fe0499cb462c57c

SHA256
1c349936cdad82f991582bf636e937c69a77f505088f0c82a653ea04721027a1

SHA512
c89cb6e6dee5d9e5ce452adc787c261196f9610a184eaf6616a5321604c3f10ca200d97f79a1d13c76ad12cc28d08731cb0845e1b3030d9f7e94337011afbed3

Download Submit
C:\VidZQ\optixec.exe

Filesize
4.1MB

MD5
69403a43542b1af1b645dff7adadf741

SHA1
de7f42c329035a8e8561d9fe86e5b8c9519489c5

SHA256
6592e3d2b7beda3568d3986d5f693919a01a798f0703fc9bff860ba1bcc43f84

SHA512
fefc2654330cb9b8f01cfc93719840338ae7e35c60abc9563e4c42d187e344f57abfd17b0aa53e035268b3ecbc15e0fd6c5b26d8944e7959e3ca895c9c081483

Download Submit