1a14336db0056be6455808ebc418ae8fc0d3c2748df502f6d461c69c79c00308

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
Size

2.7MB
MD5

96eb63f2fcdacd389d14977889a01d10
SHA1

2b55997cbad11f5f3365d4ae5b8747986c2edc6d
SHA256

1a14336db0056be6455808ebc418ae8fc0d3c2748df502f6d461c69c79c00308
SHA512

1f8d00ee374643ce624148315491d5c4b0d5f6049ce4fa0cf92aabd63a99c310877baf948c54bbc5f6b9068cd2723961b26305031594d9a790f004121063052b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpH4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1788	aoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8I\\aoptisys.exe"	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxWE\\optidevsys.exe"	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
1788	aoptisys.exe
1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1788	1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe	28
PID 1260 wrote to memory of 1788	1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe	28
PID 1260 wrote to memory of 1788	1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe	28
PID 1260 wrote to memory of 1788	1260	96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\96eb63f2fcdacd389d14977889a01d10_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Adobe8I\aoptisys.exe
  C:\Adobe8I\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxWE\optidevsys.exe

Filesize
2.7MB

MD5
ba17e6ee6c1ed623fd7890f7983bdb1a

SHA1
cb417db58ba8ce0c3de8c50ceefd828eab05be6f

SHA256
8956a261dc1221620676590879cfef1105e6b8edf32d412edb43258a2ce1571f

SHA512
315bca4c37f4ee6e3729adb569bd822e92b0ce78d6574603df97150547a61faa0f6949019b80bdd7155388d9885806b25414244e6bdb0fb409b8ce0664294ff2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
3ee73e4c4f15bc21fb504cc5fa613b10

SHA1
04a700efbb72e57671b0d08c9688128b04a279ed

SHA256
952cf071543578fe7cd9196313d74e5cfe6b71d7d55fd4dc323673f52d4ee7e2

SHA512
7cb987983d485431fb5291b34791f7cb89e67afee2da6ba32ca49a6055e3b654b809885bec0d868b28ac95c0dcaf6d3fb899dd40ffdd9f6880fe0d413c9adc8c

Download Submit
\Adobe8I\aoptisys.exe

Filesize
2.7MB

MD5
906c177c68051723824d54e0e3575dd0

SHA1
66a88f943d945c7dc3784265450a8fca4a40fe93

SHA256
47a827d3aa3cb79aa8c14a139fd017cc65f990802456a5c7acc67438b9229ca2

SHA512
1800f1fe54a84d6b9dd9f3eae63e5efe8407b7a5724b417b5d13e53d28c8803e098bfcec6edfd414b5ca9ee4cf15c94013dc9d6e654a0a8c35e5a54a7f69f698

Download Submit