Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:58
Static task
static1
Behavioral task
behavioral1
Sample
5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
5922593b7c066832733de77c1e113e10
-
SHA1
586a5eebb1408f7253c85962561282cc553ea7c7
-
SHA256
9cea047ecffe656ce6e5a36bdfc4ebbe708950228a9b86dc1be0563d364f30f6
-
SHA512
e046337c7e159eef5004ea7ca84e9ad24fc622b134871626513cb059f8b407403b5a0a61a43edec4ff031ef1e599958821af58a5d88947b44901f0f794699513
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Sx:+R0pI/IQlUoMPdmpSpp4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4028 devoptiloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOY\\devoptiloc.exe" 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGD\\dobaloc.exe" 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 4028 devoptiloc.exe 4028 devoptiloc.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 700 wrote to memory of 4028 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 87 PID 700 wrote to memory of 4028 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 87 PID 700 wrote to memory of 4028 700 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:700 -
C:\SysDrvOY\devoptiloc.exeC:\SysDrvOY\devoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5ed5de57abf08977d4886831d24687bdd
SHA194332cf44091599c52ec3565975bcf3f2589e9eb
SHA256d4ac81a8d108f1733cc3a5cad130e9b5cbee5e4af3af300b26e0ed8ccc0cb978
SHA512df1e750cda2ff8280ebe090bded55d093db15fecbb11970cb404e7c3394a1bffc4981ee07cd1e9f76ff5a25b5fd78342f268b864c618175016b262e6a67427bd
-
Filesize
2.7MB
MD5afd03e6294fd46adeaddd7e529eac8ed
SHA160a321cfa8fae4821a12225a515f49b7c5bf0199
SHA25630cef1b66e63ea524beeb9d4a6c78f93d1eb34c10f81c5979590b5c695f1ed32
SHA5122f57fb7e402b4b02f05dfbf3cf97730031cad0104dc6a3695dfb6bc259ca6e515fa1bb830b806c0f131079c4b30b8e961324ab279897b6fb655b2370857f304c
-
Filesize
204B
MD5b8d9a40e0bd1f624b4f22521170095ba
SHA165789bf4e16618a5b59c4c8317eb63f2ad796757
SHA256d6d685f3d6afdfe135b692440031b2eceb8ad9e373f0300b0690cdb000b85cdb
SHA512a5c6aaf80b886d8e84d6553679951351ddf8fe59ca4f32cd60a27bd9e192e611bb8a16cb6a53a05a4aafd1a927fd161bcac045723f7a36c22e91b9016931d896