17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/06/2024, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
Size

2.7MB
MD5

c04b22fdd4abfb82c971334105f8a850
SHA1

c57dbcefdb1bf441efbf92ebd1afc1ae8c65b730
SHA256

17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d
SHA512

19e0b58d4b3c33bc10659774114a579faf9cdbf05baf0f40ff2c76bf4886bd3333814cc1bc9cf56bc99d647b8fb7aa329e42d635e8783a41c86dd52863b14125
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSpc4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGX\\xoptiec.exe"	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax23\\dobdevloc.exe"	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
2780	xoptiec.exe
1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2780	1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe	28
PID 1984 wrote to memory of 2780	1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe	28
PID 1984 wrote to memory of 2780	1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe	28
PID 1984 wrote to memory of 2780	1984	17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17066232cde84efde8080de89326014a52e4c3f77db0fc5e51da9aed9e8fe94d_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984
- C:\AdobeGX\xoptiec.exe
  C:\AdobeGX\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax23\dobdevloc.exe

Filesize
2.7MB

MD5
521c76069c4143097dfef0b22b2b8cbd

SHA1
dbaba7b20f158239b8be8948f76c75c92b620ca3

SHA256
5a4af75317050fc4fd38a07db798bc4064e2070888f6c88b74165cec1fb95ef3

SHA512
0431a3eac1f964722acb762c24c29e432ef4a9ad30eaf2c36a1dc171e2ac50130bdde25546ff7e54c05a2af54288f90fdc145b424669f6318f44f6f67d0a2519

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
e232522e561b3a243d15843f1b86c490

SHA1
ae52e1770c3c8f7e7c4a307afe1a7d86ca339a78

SHA256
ec4b2fdb3c9daf36f59ed8f261c4ce83a308bedf56c70348fd9cfe0078a7ba26

SHA512
a47722d1acc31d2280f080858e240609a4660ef2a2a577203ab260f4b50a6e7f764423e53d25f52f82b6a5e8e24f2a954f197bab8efc8dae0cc57d4c278f21a0

Download Submit
\AdobeGX\xoptiec.exe

Filesize
2.7MB

MD5
c8547896176ab2cd561d48874576f28e

SHA1
02b1203db436628658ab4be95a51e246e3006cc0

SHA256
2a1dc7e67dde0a2c8c379bee38d73124ec8b91e9c7d1492a1a9d18e2f70f0833

SHA512
d4ad53e0cb6425a3c716fab74376bca193f5ab3ee4eec19482e005532dfa6012d3a54225a4997359cf96e810257da81f195e08e90e1734d9f16275bc41b212d9

Download Submit