9a241d7f2b7b4f8f628f97620f1584cc0aedb328ad09092f5d93bf0a49f8b606

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 00:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
Size

2.7MB
MD5

125e2ec2812bfb53c988376d54a1e400
SHA1

0ef0da6bf41f37418cbd4fffabb60a6c873a78f7
SHA256

9a241d7f2b7b4f8f628f97620f1584cc0aedb328ad09092f5d93bf0a49f8b606
SHA512

7d46479a78da9752b98bab6cba11dec168983aeb7b594f0b9b3ac7d2c2152d53c4e972d760948117d2273b003c181add7556a91e978c5ccf55782374f5ab56b8
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB29w4Sx:+R0pI/IQlUoMPdmpSpE4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2276	xoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvSV\\xoptiec.exe"	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4O\\optiaec.exe"	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2276	xoptiec.exe
2276	xoptiec.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2276	2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe	82
PID 2744 wrote to memory of 2276	2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe	82
PID 2744 wrote to memory of 2276	2744	125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\125e2ec2812bfb53c988376d54a1e400_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744
- C:\SysDrvSV\xoptiec.exe
  C:\SysDrvSV\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ4O\optiaec.exe

Filesize
2.7MB

MD5
8b05829aadf305dbfff0abc9758caf77

SHA1
a977073caa71668ca0ed5920abf06a10a1450cd8

SHA256
84630d9c176b0412271434909209e7518e1dbea34072da0fa82cc77e8ee83a47

SHA512
2405543ccc91dcb9140e0f7bdcc89efc0d4d5767104bec896b79772442c896534080665c6974452cd72c1bae42e044d8cec01f6706f563ed0fdcc575b25b6dd3

Download Submit
C:\SysDrvSV\xoptiec.exe

Filesize
2.7MB

MD5
3f2643155a28faac3d6114ddc26286b9

SHA1
9dc24b5cdd59565592fd81afdfeb05da66d189f9

SHA256
469d36d5faae6c3ebbb1fa0d089c1428d1abf81e72434afe641fffb73ba66192

SHA512
5373960f1a3c14e2e770771429edeae228d19d79c30fc6337a4dc4bcd64980f742e831388be2986a167ea74661c774a4127be489575add55605c9def3567c2c1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
9aa26b7f9cdad114294d61916dde4609

SHA1
0a510b1d776686d90e56e162d43097f0f74a4fc6

SHA256
cabe49c40814e9b21d59e87fa1d32b264abb7d36a2b413b6f3d14a5dd8c6943f

SHA512
e6231fb622cbb4fda7bcbbdfc3daeb32a917cb15b920f732cdc265ae0b7a244b72498f3111d16e6710fa2f96e7096764e2d15294f73f8d41398bad32eb5ffcc6

Download Submit