fa154c649cd3df6fef0a1393cae5c74aeb2e24875b9dad06fcdfce60a272987d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
Size

2.7MB
MD5

9c9d7179c498b8e79e48943f114d4d80
SHA1

72080780690f08709197b334050539b73eb9bf84
SHA256

fa154c649cd3df6fef0a1393cae5c74aeb2e24875b9dad06fcdfce60a272987d
SHA512

64ce7fc4101ed19cd147cabcd542f6ba6286dbdc6a88ec1fe4ba9616d7b203889e607143758f30fc275232047bfed8852d8a8a224f8ba1f63e04a873ff8ce909
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpb4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3784	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEL\\devoptisys.exe"	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBS\\optidevloc.exe"	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
3784	devoptisys.exe
3784	devoptisys.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 3784	876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe	90
PID 876 wrote to memory of 3784	876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe	90
PID 876 wrote to memory of 3784	876	9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876
- C:\UserDotEL\devoptisys.exe
  C:\UserDotEL\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBBS\optidevloc.exe

Filesize
2.7MB

MD5
7932b3911ddf3ce8f34b8db3c202ffd3

SHA1
12ed0926eec2053c7a222299ca42044b9f560ecc

SHA256
22138dd2784d3216a5dd68658eabc116016513cca7bb429013b4759913897d36

SHA512
5c8c9434dd87a7fcac2efce33545840a6b2762f6fd7555d6fcc3a9a7502a963da2a45e72d11970aa04a73a2045933c9fd9ae2b517bbaa98d841d0526c55b4fef

Download Submit
C:\UserDotEL\devoptisys.exe

Filesize
2.7MB

MD5
1fb08e34228c483e5b7d8831014b1a07

SHA1
669ecde12cd02892640dbc4e3dd858efb71bbcdb

SHA256
bc5e31a859e9f14967a9ecbb1a28dc5b9fc56d88b85a14932ca8091ce527b1ce

SHA512
fa953dcc111d27eda271d7ffa1d9aaf54f75342605815d09df1b3307e8c62becde7c15c2412304ddb0679f1459c3f31e11255b3bf634b1b06b47599b4a73bbc3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
cfa712f945067cd7c5543527392126f7

SHA1
b6fc3a4b69cca8e56fafd5957ed79bbca166650b

SHA256
42bc7688e27ad5f6c8cae7da25300968675bcd4022c98b45d603d00df4e4cf61

SHA512
a3fca78df1f735edebbb61f0c2e5e4b52906ecd2da0938152bcd6ce0b56f0dd95f87aa3923e862028f6c70ce57a82236c3246a7ecd3b06793df1a12a1827d196

Download Submit