3c379b6383bf9d321134e87edb7933a7cca6ef4d624a3fb0e79222f29b765ce0

Analysis

max time kernel
150s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
Size

2.7MB
MD5

1529cb9a6748cc2d8d7b962d418ba400
SHA1

e053edf50510bd0ba6081e0e91bbb04ff330bf09
SHA256

3c379b6383bf9d321134e87edb7933a7cca6ef4d624a3fb0e79222f29b765ce0
SHA512

4d3dbd3bb814a8552914423577703910d6bf33ded825139520956b784eee8cfc04f6fa97c00b68c60c6d60adbcd1356dc3486308e7baa2e701a6374b7169037f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSpA4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2404	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKW\\bodasys.exe"	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW0\\xoptiloc.exe"	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WCsysxopti.exe	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
File created	C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WCsysxopti.exe	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
2404	xoptiloc.exe
2404	xoptiloc.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 2404	4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe	90
PID 4436 wrote to memory of 2404	4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe	90
PID 4436 wrote to memory of 2404	4436	1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1529cb9a6748cc2d8d7b962d418ba400_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4436
- C:\IntelprocW0\xoptiloc.exe
  C:\IntelprocW0\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocW0\xoptiloc.exe

Filesize
2.7MB

MD5
f7f57f04d25aef88abc76e6f1df1ef48

SHA1
c7601ce5be34029ec0d8414c336c8527b98495fe

SHA256
f173547f7a6ef543c8c10c793022dee263328c5acc1f47476eb9294a954ca957

SHA512
e53e1c8e1497b36db2aa8fa2b152727c2280d49e47924c0091957fd377e2a0ea01fba2b1b559be61f43e37f9b73a869a5630da5befbf881fa3b0a2da4d225c39

Download Submit
C:\MintKW\bodasys.exe

Filesize
2.7MB

MD5
fd449bb6fb938a71d66ae8d3290c3681

SHA1
947fdca64d0feaf92234f9d6316ec04509ae2639

SHA256
ebd19fde04d714817e4316371a0fc3634ecac2d90b761741da81a66ffbd70b59

SHA512
2974ef4e9d5ada0d6f76e10ab5312fcf9bcc29e52d28accafde551d90385e5a347549b9b3af6dc326391305a0f8374b0152c393d28bb8943aa0da88952bcd8b2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
0833216ec9c4243dd89fbd1dd5d44f50

SHA1
c763aa83e51740f4f7c517cddd4e40fec94c6609

SHA256
0c38aa6d01aad3652d433cfb55273f406186cc5688464c6461d575886d395546

SHA512
84cc2b4d3c775f849d0631632cd32e263cee0165c98c9e03815d9f6796938cc9fbb157b6fb18b92b0a5231e6e57ff6f23b85faf6e0260732a0d83f17c3144cfe

Download Submit