5f182a4551f1b580126b3d6d632b68c5420d7af67a3af37d5e4c589d4e85b62a

Analysis

max time kernel
157s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
Size

4.1MB
MD5

2a0ae9bc4718ecfbd0c473bd305f7b80
SHA1

568f4833db322ccd0c215071b1d47c791674ef20
SHA256

5f182a4551f1b580126b3d6d632b68c5420d7af67a3af37d5e4c589d4e85b62a
SHA512

d01456bbaa0f35b88271aede335cd0202a21f3c1e35df452324e2f6303c8e4c44ae3761ca7ad291e95952d9bc193e6fe5ee206491578c3686bd0ee5a97f5c994
SSDEEP

98304:+R0pI/IQlUoMPdmpSpB4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm25n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3396	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv3W\\devoptisys.exe"	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxU3\\optixloc.exe"	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
3396	devoptisys.exe
3396	devoptisys.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3396	4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe	91
PID 4296 wrote to memory of 3396	4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe	91
PID 4296 wrote to memory of 3396	4296	2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a0ae9bc4718ecfbd0c473bd305f7b80_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4296
- C:\SysDrv3W\devoptisys.exe
  C:\SysDrv3W\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3624 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxU3\optixloc.exe

Filesize
4.1MB

MD5
52e5e74b4ac70a5de4ee66d29a41c711

SHA1
b46a45bf94dad3e464ebba42c2b5ad319267a4f6

SHA256
49026954604b907500ba4eec6be9800ce39e392925baccaaf6b82a66c843786f

SHA512
26c5fbd8a011a37c894a2ca345ef363f3a3dcd1dfbd3d619c0c3c1596b861cbfb77a32dccb25212a7fda5a80a1cd644c416472696a198dd3ee88e9f35d0645ca

Download Submit
C:\SysDrv3W\devoptisys.exe

Filesize
4.1MB

MD5
8f48064503596542ca8a3ef40cd6b96e

SHA1
bcc3a554a6077acfd5b1a18e43907aa633154892

SHA256
39c321761b8409aae55100f87450e8fc9504d452ba60fd73a30d6a47ccfe54a7

SHA512
d673cdd944fdfca308fb9f353837abec203ea2a27a01b3b6b94dd27f8c931fd13e3a06e4f2226bff910d68e66c752c8f34b875eef31bd7c632d2f12ffbf2e5b2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
65bbbc1d050a928bc5e505ede8681b11

SHA1
8ddc1fc180624305f5837f79f2b714b133654be1

SHA256
34e515736c30c97dae8588f54ec1475109c970aee815f9fdec9ce0760361b8cf

SHA512
0049eed515ec795f43888f0bd4b58c737ccbbe319ee0b39c29b10a4ed6f5a48038147bcc4e6cb06548058c97b524d023d7756a76585fbfe33b5c9f884b9cf26e

Download Submit