8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 16:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
Size

2.7MB
MD5

7221fb33c7a1247065fa85c8629a2bb0
SHA1

ef10d6210d5362036dc513db51b109a3bc9e9687
SHA256

8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c
SHA512

668fd852ffbfe81359efb351e56284722712afe53b13f181c06dfcfbc46b28b2b81ffd1ff26029d8b47bd66e6157ebe30d08451535a624ec57cd7d7c1d248960
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSp84

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2960	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeC6\\aoptiloc.exe"	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3A\\optixec.exe"	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
2960	aoptiloc.exe
2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2960	2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe	28
PID 2684 wrote to memory of 2960	2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe	28
PID 2684 wrote to memory of 2960	2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe	28
PID 2684 wrote to memory of 2960	2684	8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8c1404a2d1323520e17f68c2cf1e0429bb161d979cdce7da254b02e610328f6c_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684
- C:\AdobeC6\aoptiloc.exe
  C:\AdobeC6\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint3A\optixec.exe

Filesize
2.7MB

MD5
8e79f0535da7e46f7d20adc64c784cb0

SHA1
ffc7e0c01bd08e38eb6e3b2083f1de31f5a63a0a

SHA256
cf1484d26760a43a320f23a734579fb3d8a5abd5f56e7f2399b64e2c04d9aee9

SHA512
3091b736ec16274d2e8394463731961c969597b648e08d5c49bffb1836582aba2237898e5bf8e5667ea1868cd0446fe3e28c0b12e45ac6a497913901d9975f1c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
6eb6ab2c5c42c8b6ee970c2da9a07ed9

SHA1
be1d11ed0f41112a726077df647e131d723477fe

SHA256
ee3a448bb5f3f7310edfbc1ab217b8be443658fcfab7b10ecb42a334c5893989

SHA512
5cc6734f940fee0e8dbb52e8e397b07962d13b2ed1498c2dbf1c43fbe6468dfa2a7a846fef81e304bc64f239e915b167ed5d756eeb6d525ffd174356ac8252d6

Download Submit
\AdobeC6\aoptiloc.exe

Filesize
2.7MB

MD5
768eace496f90d273904453381164727

SHA1
9762cc175cc6036e82facb87d81da5f597a67beb

SHA256
3bb530d786aa78f70d1989089de014106f8879aa731be70e24a0b0a1633bd897

SHA512
e39eb04b09426baf4929744835878d81e23aaab512315a6768b7b787ae2e68410418e0e78dcdd9087e9531a047335bcb6135317bb14e0b901c2ae911437d3fbc

Download Submit