56a14cb08af8cce771ae6d0f573d7f9a33fcd585e618a25ea6d3e9b4b5f60763

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
Size

2.7MB
MD5

2eedd3421991c01f87bc04477d35b8d0
SHA1

db8b7c81e7711248e83aa25702eb92d623f52800
SHA256

56a14cb08af8cce771ae6d0f573d7f9a33fcd585e618a25ea6d3e9b4b5f60763
SHA512

744b98c24c8848ffd39c060666f5286b953eafcd4cd9f9ca611a5c606c778b4f48aa79e2661842fe70054064af79736cfece680de22678a6402c47e8915af67f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBd9w4Sx:+R0pI/IQlUoMPdmpSp94

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1592	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxF5\\boddevec.exe"	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files70\\aoptiloc.exe"	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
1592	aoptiloc.exe
2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1592	2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe	28
PID 2960 wrote to memory of 1592	2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe	28
PID 2960 wrote to memory of 1592	2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe	28
PID 2960 wrote to memory of 1592	2960	2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2eedd3421991c01f87bc04477d35b8d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Files70\aoptiloc.exe
  C:\Files70\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxF5\boddevec.exe

Filesize
2.1MB

MD5
bb866bea69fafa7237652f563b38331d

SHA1
a654e4cd1995705e5180c55ce0cf9c1f9952f8c5

SHA256
bb52ad124498db431afe553042c26cf243bea7ba3bb363668ecedba80e36239c

SHA512
b27bceb96344543361ad72c2157e7353e43193599407710423626718a2462356be1a70160f6a90fd5bd35ea798c8cdd975d335e27b6b1b918f69861d0112f894

Download Submit
C:\GalaxF5\boddevec.exe

Filesize
2.7MB

MD5
812a67701f3da4ffc8529f84f71b1d33

SHA1
ded36ebd53d657c9359a20807dd715810b6674ab

SHA256
73dd1ae50a60d755a937727df132a803203e9c9bf404bf32f6f8e4c0358cdeb5

SHA512
75c0ef066c3a14ef8b64514458931df1d4f6b18d6f4967d3ab483e335e1acc985043fefaa9041d31b5251eaeaf04dbcfdd8f05c0af5493264e5ff7ba6e1f5086

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
4f734cfb2385291875a48a8397524e45

SHA1
13786af30f636b331ac5c06b757c4246eaf0a253

SHA256
fc60393fe72c72b9629545ce340467498144dc37cc5bb2533e9fbd745c9283eb

SHA512
e71098cb6bca83590d7bfc2fedbfbe3423e41669396b357482fd6981d5e022a26c2f8f45f9f801a541094366443fcc9d6e80d834fd0a0df03b59b09a0c465b7e

Download Submit
\Files70\aoptiloc.exe

Filesize
2.7MB

MD5
c0096975de2a80758d37ae71ceded9cf

SHA1
4b646ac919cb97799b7d35ec582743d2f7ab2baf

SHA256
1c2db34b993460b7819c8f501495101f5701def2439107ec297fcb0a386b46fc

SHA512
28314881efe75110643335a5c2b47ce70e5caa68e44e2a3826370b1be1f706cc9166a6bffaaeb5cb37496aa0d1ca0a1c92635710242bfd952c3eb8485c3567e4

Download Submit