7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
Size

2.7MB
MD5

a2175b6ea9c69be8f6880a80bc2a2b50
SHA1

c9df94eadac113b8f4258feaf5686087590e386f
SHA256

7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca
SHA512

f373870cb7f52a302ef84c555b8ce61b3784cb67d080205a858c9321b9a024a2b9286c9f40406a83afabb506d8a8691bd7b6ec838c9ad80189c249eda35138f8
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSp44

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3032	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLR\\aoptiloc.exe"	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTB\\dobxsys.exe"	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
3032	aoptiloc.exe
1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 3032	1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe	28
PID 1912 wrote to memory of 3032	1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe	28
PID 1912 wrote to memory of 3032	1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe	28
PID 1912 wrote to memory of 3032	1912	7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7418a0fc01b8a7ad020f205e113496b1427b18d868620b5ecebe0835ff9208ca_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912
- C:\FilesLR\aoptiloc.exe
  C:\FilesLR\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxTB\dobxsys.exe

Filesize
2.7MB

MD5
7cb49b8bdffe4113f88870f1c3659415

SHA1
9d6f6a24a2840468ef41a6d49999a5c64227e0fa

SHA256
f68940f41abed7016747867b470dbf8ff0f97400e5662ed59ebca84f44c8330a

SHA512
eb4476f4055474e882afea02b101ba26fb44fc3b0c35f3aeb9ecfb135c132e516d4df4fb7a6f6a25f8cf8de19affbfb4bfa94e37ec50b994095f59e681d695af

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
b4074e2f509fb7a3568e78b28652e987

SHA1
0a6551c2a5e2ea9e2432d956b323be56736f3d24

SHA256
e00129c32cc90fcb565f209f36c4f05b70d30d7744357db0636b54b292051cda

SHA512
33e2b261ce4297d410ddb6f47a9d18b095c418b9808c8c05afbf86d54d3107dd4110234821880dc589e7d580142dddd44e2c948f343e67d48ed21525f4f34a5d

Download Submit
\FilesLR\aoptiloc.exe

Filesize
2.7MB

MD5
08dd4876f9850a6a6e49dadea6b05230

SHA1
7cc206cf92bdd177a1eb42a971c3016ea352c2d2

SHA256
034ca0973e1e8d5a984190f091a78d1c8b811758c1a4e7ae5883fd6bc6ee7857

SHA512
52024f8e87ad2029af8df75115e4161cb3e5c72d8ad7a1feec9d689357dde6e327e239ad35e72090d1bc247f5583634dca5e9a4600666bca4bf1aa697d0749a5

Download Submit