38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 03:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
Size

2.7MB
MD5

a1f45f168565cc82ad08674939f9dfd0
SHA1

be55c53f564ce3b146974aaf0c70cb264c178cae
SHA256

38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25
SHA512

46153ad49a3510db99ee345b9c0da06ccb5af7f26075837bc7ce56dddbb2648ceefc42fa910a12e015326bd5fbbe6a84d395f3dc4f94047ac1e972ff2a69242f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB29w4Sx:+R0pI/IQlUoMPdmpSp44

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2568	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSN\\optidevec.exe"	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ3\\xoptiloc.exe"	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
2568	xoptiloc.exe
1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2568	1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2568	1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2568	1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2568	1936	38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38fa3bddb9b2e5b3ce65ceb6a7c448041aad637d9c6e4e1b3772468c2db8bd25_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936
- C:\FilesZ3\xoptiloc.exe
  C:\FilesZ3\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintSN\optidevec.exe

Filesize
2.7MB

MD5
95cef2d07c9007853089092eff4f3998

SHA1
b2c461725a7bb1c6b6cce865d931f2cb429f4bf0

SHA256
4c3213f0ecc12b04d4f16dcf714873f09271ed0945e309748046733103d6f3fc

SHA512
07df2aff264d028a149536799e8b913956ee752acef7ccd4b4c340e78f1afcb8663fed208768ef2e1b162edfb1d3426538082b62e7a7e1632dd2355e3f18e74c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
68fd94102b02eea49c091a8e035c7a7b

SHA1
ce02b810e93b83358edafa964da27f8f9bfbdb3c

SHA256
469c976134066b12662d5667f960b88325f0be5a5254f4e56befb1c0c4f593e6

SHA512
bfdba1520dbd50107b0d8592e52800510ca99ec747f23a860f17e5e77475e7a1ce7a2580a67d5b80c86adc33537546e1fb6cdf9cfad7b471af8b64a92bd53c44

Download Submit
\FilesZ3\xoptiloc.exe

Filesize
2.7MB

MD5
04a8ce0384ae3b7bcc74235968b914b7

SHA1
22f3f75a1700d4559ba9f7d47d8701db72edfce4

SHA256
b65a49d595adf14816594d316395a1a04bf13273e17ee7b4bd316b161df11dfe

SHA512
2b9fc6acc33e1d7af01b8c7b1664081ea3e2d201a1ab2805bedc2ce9b3d469d15ffb2c0a7c28f9878c9c08517ed93c504b99af63df0dda34635d47d034fbd67b

Download Submit