4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 07:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
Size

3.1MB
MD5

e3b971bcd3d059305267b0516128f600
SHA1

fe9c34ebe9141f1d9bc40238d9c7702654800809
SHA256

4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08
SHA512

fe560c120817918a996e417a67131c9bd3536ecedda4cf76e45b523ab46d42f29a43ae5d2a6b8d0c6767afeea817c1c57e44f510e687cb7f4b22a0163897b63c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBF9w4Su+LNfej:+R0pI/IQlUoMPdmpSpB4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3672	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv19\\aoptisys.exe"	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint69\\optidevloc.exe"	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
3672	aoptisys.exe
3672	aoptisys.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 3672	4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe	82
PID 4620 wrote to memory of 3672	4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe	82
PID 4620 wrote to memory of 3672	4620	4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4e59b00f82b0b26eedacd9fc8cc46d17ad4d26308b271122ed43d68a7a357f08_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4620
- C:\SysDrv19\aoptisys.exe
  C:\SysDrv19\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint69\optidevloc.exe

Filesize
3.1MB

MD5
08f45136212f4ddca0dcc2722f5a7c6f

SHA1
afec17b2fcde35778ac012f6cc4ddece9a69f6a7

SHA256
71f42b977f56ec678c9b9ee3cccb11d651574fc695fa4ae539bfccfa1bad7a67

SHA512
786c9beccad470fb6713c1c45aba5664a12feb87df93ebc6671c0df97f9c335a13921abff9131c11bed995cb91bb7b5bc7fd06117ee43e133376b77931c02ebf

Download Submit
C:\SysDrv19\aoptisys.exe

Filesize
3.1MB

MD5
eb5956e2893fc5ebe416b289ff2302eb

SHA1
48b5f21b71448a9e133f009bdeb9f18fa493ac38

SHA256
86a2fa729e9af44ce0126f50524707815fa1bf8edb2fb17fea0bab536cb993bf

SHA512
03dd1cfab56f6e55bf6fea3e0447d9f4805c976fbf0afc1cc814505ead5560e005457dbd6069f38cbb00166e60a3bf56b82f1e9088026b4421386c4527fd584f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
b3fb9bfb7407a9d538243eb41fd647f8

SHA1
8a5341213f936ae58de289fc3449687e2fb7f95b

SHA256
f0b6351baf76df49043a2e54b7b05c17c3ab29b0517835196f6164e3cee433b2

SHA512
20fd76fcce8b9da4ef977fe984ce95c180a55e2ba3663a9788a6619df6c3a247b9e81ff28f62a46d7f7be7b11524433fd2672d4d14d237bd93fef4d9673804f9

Download Submit