2c87539b045e85ea99e8bcb1638784a6f574d291848aeef982bfb6b3e281a563

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
Size

2.7MB
MD5

83125aeb38d770c23a081a191779cf70
SHA1

28da56e97f7faac7f260cd8ce4c3dccb3e905b8e
SHA256

2c87539b045e85ea99e8bcb1638784a6f574d291848aeef982bfb6b3e281a563
SHA512

916da74464b582232bfbcbdb069a3076f7ed7276f7b884de6c9e5a17d0ac29e5a1fdcb1b0c482f634731beb998a49614bfbe3f39254277729972f173a924a572
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBT9w4Sx:+R0pI/IQlUoMPdmpSpb4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3060	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files6H\\devoptisys.exe"	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWF\\optialoc.exe"	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
3060	devoptisys.exe
2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3060	2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 3060	2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 3060	2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 3060	2784	83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\83125aeb38d770c23a081a191779cf70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Files6H\devoptisys.exe
  C:\Files6H\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBWF\optialoc.exe

Filesize
2.7MB

MD5
ba7d6410754cb4b44520e89b32a9836b

SHA1
c061829d07f98a96cfa926f6036a2ef8b88888a8

SHA256
275a7cd024dbb9ed16f890636ab442923f9eede4aabe6a5e5307d4ec1a743081

SHA512
d41992e539e035b65bb185bad31f3d5b1e413cd0817918458ad045e3f413c7835a633d0ca288f14355a04f01523416d17c9f6aa1b5f463861c939d8dc1499584

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
7bbacb5c062ffdaa312856fbeb2fab31

SHA1
2ea500c78c42eb7778522a4a8e09dfdd93787985

SHA256
332556b3b068f0622f94a12c5d92c9e937eeaacf451a94d86045d77b0329b49a

SHA512
87ec7ce5ca859426d4ae83b265e5954bb35523f1856a9580748d021a5282ee196cfc78f0952cda7c35ca5ba6c65b6d103117ec4b968959b02d6af335f3676c5f

Download Submit
\Files6H\devoptisys.exe

Filesize
2.7MB

MD5
6b04305b7fd41657d576aebb6447d26e

SHA1
5ae26b9c51271f1cb91f5437d2330e038ed56fd4

SHA256
61b305b1f814cd9c0e3b60661d8e51f1bf4d4fdbf792721e3e4aa1baa821db08

SHA512
85ae7489d1abd5883f1262e39ff841af94a7a03206a1ccc3f021ba008c400ce5c4773bea147175e4cbea475729a54e0899b13380c18f4ebedbe6c0bb58780ed7

Download Submit