96ae24b099f7c2d76addf0d1f01aa7631bf59aa3c20269974937dfbb3104e450

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 18:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

871779e9328e720369e620739d699620_NeikiAnalytics.exe
Size

2.7MB
MD5

871779e9328e720369e620739d699620
SHA1

7a17be6112ca0257a18abeb1689fb071d9897376
SHA256

96ae24b099f7c2d76addf0d1f01aa7631bf59aa3c20269974937dfbb3104e450
SHA512

1ae9ec03205a62849565f224c4f2221cfe0ed22ad6dae079e04fe0a0d9aa1293e200047d2e697a91ee31cafcff26f9d2e2e707e3a795fa5a29600c71fcca9a13
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBG9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1832	aoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePO\\aoptiloc.exe"	871779e9328e720369e620739d699620_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7U\\dobxloc.exe"	871779e9328e720369e620739d699620_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
1832	aoptiloc.exe
1832	aoptiloc.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe
4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 1832	4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe	90
PID 4292 wrote to memory of 1832	4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe	90
PID 4292 wrote to memory of 1832	4292	871779e9328e720369e620739d699620_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\871779e9328e720369e620739d699620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\871779e9328e720369e620739d699620_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292
- C:\AdobePO\aoptiloc.exe
  C:\AdobePO\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobePO\aoptiloc.exe

Filesize
2.7MB

MD5
122ad5d87abd0cf5d21345b948c2fccc

SHA1
f564aab342a6becac2ddb2105303bbc7f1ab28f4

SHA256
634daf40dca61c237996eb118bec46795e8a37d75ff54f6379efb2bd06313191

SHA512
de4e4eeefb2d138bc373027f21da8b7d0188c8fdf062f019139c2da7cb530cce0fcd941c6a6cbb09c3bc2c5c86da9be2a2f95a5c30050881634809f3766dc80f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
12eb2cfc7d632fc5a87d7745003bdbb3

SHA1
511b001b410a3901dfcd8d4629d5b324fd8ac98c

SHA256
0a95dd90177a48b8e9d9b6a9e95ec1e8d2d2d52c160613495060f6c3eb94754d

SHA512
c812331a976f9bcb0f0000059a3eca13d2b4ac816cd51c859060f560631774232700fcb4b0c2c4c4d7aa402b52dbf03d1c9bc05284e9e65550e3dbf2b37032b0

Download Submit
C:\Vid7U\dobxloc.exe

Filesize
2.7MB

MD5
2103bbc9f86726025e6311ceb8fe16c9

SHA1
7cd90f16d3cb552908c350b116532d750ba36ec6

SHA256
392c7e64e6619bd4919477a6113f6f1858fe870a097dfe9472866b3b3d4032cc

SHA512
35ccfd583132e7c0b5a1194328e38c1994204e4855592b7a97be41b4b52f759524b8eade727a668cae5960ea78317e3dfc4fcd9f2d0ed001f457a1cf5f6327a7

Download Submit