5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
Size

4.1MB
MD5

43065b701908d6ff3097fefa7a7dd7f0
SHA1

99b522d4d60d75e0bf2c835d4b294c721a34bc73
SHA256

5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428
SHA512

ffb9697678105de12f84bffbfde1a3f2f03f895bc01da42d95c7d841ab8fdc4e69c8c13e83a492c9acdc2d38f9f76bcc76e524cc0b01b246cb8fc0c4653a7c2c
SSDEEP

98304:+R0pI/IQlUoMPdmpSpb4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm45n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2916	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotNI\\devoptisys.exe"	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5K\\optidevsys.exe"	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
2916	devoptisys.exe
2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2916	2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2916	2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2916	2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2916	2036	5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e09ab32a8a5d04919a31e185df0c936184d0fae63a76415581db040b0f88428_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\UserDotNI\devoptisys.exe
  C:\UserDotNI\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint5K\optidevsys.exe

Filesize
4.1MB

MD5
113a254d14a0424c4ee0e1b940ea121f

SHA1
70c2754cc9c868ca5d85c01b4e3a7d7e54dbf174

SHA256
426ee6de76d77178e383fb9d8468832418ec8c0e14dc730425a62de731d82286

SHA512
20db762d4e3c243f68e080ccf54d4fe11d4c7fd1902963af69b26af4c52ae16f2f9d4eefbe1bb4533df956b52b5b2659b2cd565f6d5b32e24575b69733e78e6b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
dcbd2eedbef8349a498800fb62adb701

SHA1
bf83e67d0daad2d1bda653defa03993200bcaa1b

SHA256
8384e52c2220b08dbd85e4eb9467cf7305bde8e45672720464d31a2f93fa80a3

SHA512
ce8ea92a1885210c6591f0a59a193c6974243b4cb60484d6d17f72e7cba654f708cf7b51d57e3ff70c011e8e7be07aa91c670ccba62f6683bd97e277eb842396

Download Submit
\UserDotNI\devoptisys.exe

Filesize
4.1MB

MD5
35672d575f9018bfc5b26b421dbaf5da

SHA1
e884a6b79fb9f6d90159fe265febb6422b1283f3

SHA256
9bb141812d757ebdfb173cd4a642932b3cdfc5c2df79487fc2e41f1539d8f203

SHA512
2f36cc2828d1ea9dd20677e26acaf4d6cde59725d1daee315e47eb33605137e7fd9e62283283e18149db99c49854e2061ae2de21434ff18fde4a52a59162bbc5

Download Submit