4452565de6e6b7945ad18b1b3410b44c348adad16b6df1027163967dd1533eef

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
Size

2.7MB
MD5

1773d601228a96ef49b6e6ecc4903540
SHA1

9c7b927c5025f9641d73fa745e6bd92594875102
SHA256

4452565de6e6b7945ad18b1b3410b44c348adad16b6df1027163967dd1533eef
SHA512

2947066efb6ec35bc0b2a74ab924a765fcf247bfe58f54dbf4c2ef153a27d5f5d5c0c1d2d69e53149ead1a269da28ba917ad730faae75d0ddc8457afc5dd0646
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpa4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2636	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7F\\aoptiloc.exe"	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWP\\dobdevloc.exe"	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
2636	aoptiloc.exe
1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2636	1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe	28
PID 1860 wrote to memory of 2636	1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe	28
PID 1860 wrote to memory of 2636	1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe	28
PID 1860 wrote to memory of 2636	1860	1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1773d601228a96ef49b6e6ecc4903540_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Files7F\aoptiloc.exe
  C:\Files7F\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZWP\dobdevloc.exe

Filesize
2.7MB

MD5
2c2f950383f62a0d81c72c990dff2e65

SHA1
1e4b4f2906797f398830539c0d2c460e784c4b16

SHA256
f0f2d83336d3a0aea791b7d3da58071bccd1a3143728a42212df574042256e65

SHA512
36ae8892e5df6de3aa4b1db6f3d1a2ea36f9cebf05be269f5624ecbbe5b228f288272e356e3a65e1dbe6c778ff18c640f20ddc9c00ee41c0b1da0b78bc392da7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
86e1ad316c7941795a6f20e3e88d0ffb

SHA1
68e979ffcf78af9bf1f45ac1511d9499f16a9729

SHA256
5dd2919a722c520f4fd3e8f9780655dcf52452baae574a9c0279731dd2bb807c

SHA512
5e94af09348db96d70e43c555826047aad0038c3591b4c0f8d79621eb58c3b9b1ce2f5b106c540bbf96b0d77eebc919435e1b869036611addf7d6b684edc55fe

Download Submit
\Files7F\aoptiloc.exe

Filesize
2.7MB

MD5
ffe9f37b6559498f82b71b46ec06ebe8

SHA1
227457da24d455b2dfbdee51cdaa518a14cedab0

SHA256
a28189ad4a9440fd1b310b9cb7039a69fe6f949d4d7a8eca13e7a1350b14b086

SHA512
e7bb16385dc911a61fffad2d4669c1f7b029f33969e41f4c6e0aaf8258347ba824f55e7da6f7a3fa23247d43039f6f6579983caae7a1905ea4fce227911b704b

Download Submit