8d4e67182a05e57938258ed609b17096543c525888b2d3ab81ce5b75b530dbef

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
Size

2.7MB
MD5

492b061da4a835cf637a9fd6586f9ad0
SHA1

9ed21c0fa01ce753d1f10974c2dd872a31419c75
SHA256

8d4e67182a05e57938258ed609b17096543c525888b2d3ab81ce5b75b530dbef
SHA512

b5b0eef209f694ea60e3c2fbbf9832702ca9c98d55cca6df1e3d0c89191e166ca53b8da1234a094f0a59d2b76359e031bc4eea255ac11a4361d5b8f7a275a1e0
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBC9w4Sx:+R0pI/IQlUoMPdmpSpA4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZH\\xoptisys.exe"	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCH\\boddevsys.exe"	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
3044	xoptisys.exe
2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3044	2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 3044	2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 3044	2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 3044	2080	492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\492b061da4a835cf637a9fd6586f9ad0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080
- C:\SysDrvZH\xoptisys.exe
  C:\SysDrvZH\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZCH\boddevsys.exe

Filesize
256KB

MD5
fdae337994aa73d0c5469c41c2f7186f

SHA1
2872ff0e04cac273008a30043294741553e76dcd

SHA256
866402bdc87a7e0a5ba71a7f9dad51af115ba36ece63cc530a0b77ce5d93eb0b

SHA512
563d2b949f39bd8467bfbd0759a0cf4f344d3a654284ec120511865cd7fd8b7a73b8ff6910a7902200924a3144cdc7e0f4ba52460b3735f7a49a3a49ceeece35

Download Submit
C:\LabZCH\boddevsys.exe

Filesize
2.7MB

MD5
2d58c5b3a2dd7885c66143725402f56a

SHA1
2cfb16b6357b6a3a00152f46cc13d917d4b78176

SHA256
fd9963d607f74bcb221ef3b3a11609754821a8f5d7dd671f148e606902ff24e8

SHA512
13d7593fa67760fc5c474b15ca5e15355b19b1c0a5bc00313dba24364e1085088fb91a3b7a519b292eb5784bdb48a78a5bbff6b3ffdcede7172217aaea826cc4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
ab24899f705fd58ae65b3055705d6694

SHA1
d1128293e3dcbcf8da88a9678febe3801711bda8

SHA256
947b17747ddf4cb3679790bcc6b6e2dfc1eda34ed84dcdd1c3ede432ab76418d

SHA512
5c12ff362cbd6e8d68c4eec4c0cebcf7cebf13196125ab7d1a2b45de1f8cd1da893c6e42f16f5a01cbf6030031f35e1cc79e21dde03afe2f0bc973c7bdcb4f66

Download Submit
\SysDrvZH\xoptisys.exe

Filesize
2.7MB

MD5
f93f7eae59640eec0a4e7b8bb13b068d

SHA1
2d0fa37425f7bcd2943ad4112b5a18be2e9b7d80

SHA256
50b8c4655b1dcc3792e76ad55c5aeb473c044054be4dbe180bed6c4a1f3a66fa

SHA512
7dab185e30ae4658aa67b10c2cd70189d4ddefa99e06116553e64dc1b7ce8d698fdd51c19d6de33fd44c928b1521bbc05ea7d96c19cc2c509fa18a2af40183ad

Download Submit