0cdfd06f1fc4633b19326e4813b82281d35d27011fa3a33ad6b98e7f7da38455

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
Size

2.7MB
MD5

3b5f58a4f106851fead8c82e9d774490
SHA1

3d5a7fe70c55f3f0f8c580deb96ca9c04e2e03af
SHA256

0cdfd06f1fc4633b19326e4813b82281d35d27011fa3a33ad6b98e7f7da38455
SHA512

faee1011ccee6a12124cc27fadc0835a0f3a4df3540230ed53ff37657a47959fab14559d219fe7261ed2229c5cf33780882a4b091b213a52ac5b3cc7c75ab4a5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBr9w4Sx:+R0pI/IQlUoMPdmpSpj4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2548	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv10\\xoptisys.exe"	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0I\\boddevsys.exe"	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
2548	xoptisys.exe
1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2548	1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe	28
PID 1196 wrote to memory of 2548	1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe	28
PID 1196 wrote to memory of 2548	1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe	28
PID 1196 wrote to memory of 2548	1196	3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b5f58a4f106851fead8c82e9d774490_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\SysDrv10\xoptisys.exe
  C:\SysDrv10\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
e0e2718b92fc3ff754d61be34e536972

SHA1
0e39efac984b78354ea47b615ee2ba777f4906a1

SHA256
75be22e950c2041b985e21f800cf4ac73bb67048e5f2e3fb7cdece9c2b7a747a

SHA512
75c58806f5126dc99804d2b883418830fd3382beb4e75345f3336109b02e8cda382c2eb4e8b373c1c680ec7da1fd34b191a7b0df94e14709315373a5b4feb6f9

Download Submit
C:\Vid0I\boddevsys.exe

Filesize
2.7MB

MD5
7ab4c9034ccf5ddecac95aad2ee76b79

SHA1
f329f55fbde8c1bf1a720b4253f9d3ec8f1920ed

SHA256
1492d5e05527ca727ad73be2876bf5a2146c04c74db6427db0b7bc559ded7560

SHA512
6bb44f9467c22b40df7d97e35e25909ecd918acf2a1c2beb3a6002dd3692f65a95e602db575c505715f5b75f65eea91c24ed4556fe37b1db57a68199d099b5f0

Download Submit
\SysDrv10\xoptisys.exe

Filesize
2.7MB

MD5
57fec4d4a47101ccf92b1ac3e605bd70

SHA1
e63ef87f040baf033459f27c7a5b5099d51acbc4

SHA256
1b458984eb4b18e90406f0aaadd4816a846a31aa73b3c9a99474e5f18deca46d

SHA512
a93619df4cae89ede523e7a88c8553e032c8f881cc3fb8782db0ba7e28d24f143b0918b044481b0b5133ed1574114bc3243f23ad40abf2cc591fb70d45704701

Download Submit