fbd868157941e2ce4c599b945026939277ff9256dd97ac338e93cbdd1e8f60fe

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
Size

2.7MB
MD5

7c05815a425d8a45808e809f24d8ffd0
SHA1

0be144ae6b8855a42516d132fb5ae2ce0f446fba
SHA256

fbd868157941e2ce4c599b945026939277ff9256dd97ac338e93cbdd1e8f60fe
SHA512

c1ad7b85bcf8dc96ab6fba7653e6951328207ec537afc7a82ed0a0a01308cf282476653d363efcfc3bc1b67a22666dc88b3861e1ffe2d4af69c3b4b71ded7afc
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBe9w4Sx:+R0pI/IQlUoMPdmpSp04

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4708	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOF\\optialoc.exe"	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQC\\devoptiec.exe"	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
4708	devoptiec.exe
4708	devoptiec.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 4708	3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe	85
PID 3840 wrote to memory of 4708	3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe	85
PID 3840 wrote to memory of 4708	3840	7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7c05815a425d8a45808e809f24d8ffd0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3840
- C:\IntelprocQC\devoptiec.exe
  C:\IntelprocQC\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocQC\devoptiec.exe

Filesize
2.7MB

MD5
9ebc96152a93301486d671756abed490

SHA1
752f6f7ec0591d563a0447f394d10c283845f9fc

SHA256
bd0a9520ac83012fbd4e2cd5a9735b3ebc0980c7bde3b1a03da1da15055c48c2

SHA512
d556c58b4bce88f2b7cf36c047e0c98a5b0a58029f7bd7f49932069e8d2133f8f9613b331c4070cbc95d7715f95692c7d378001c255acf9a9388d098b2331b6b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
e60d847ccd5ffc3bb13514a0b40e1de2

SHA1
790a5d161bca3d2008331c3c890ccbb596df2bb7

SHA256
7e1972355088481b5176834ae74add91ee092d13ddd46591d431fa39677cb00e

SHA512
be24b38070c3e2aba40b0a788bc26cbfc6df901b6fc84943afff901dab47948524b15f33197addac9c24f8192b8bb8b31e58dcf781fb24a86e10c58a092c13c9

Download Submit
C:\VidOF\optialoc.exe

Filesize
2.7MB

MD5
29768eaa605c181320a56a1d0dd617d8

SHA1
aa2611d64dc33c8a28af63e7ea14fe62461326c4

SHA256
f70f41cdfd8487ceec204f3a47c72ad3f8db767e8c5bc9ce79b75484df1cfc06

SHA512
69ccd1b51ce8610c99e6c1e133791155250667375f66ae1ee113dd1cf556505b24c438a5ea99398e977d690b692a32a5936ce22bd2960446a023bf0cdcd839eb

Download Submit