01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
Size

2.7MB
MD5

4152c72a385e070014047cdfbde55080
SHA1

6fdaf7620435ae51638759931cfd47d39bffde12
SHA256

01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2
SHA512

b78b2d610d6e233cc3d3b6893d5b99b8a09ad968b42ab2fd85b4165a3068b4b6f2a772dc0d34199bf49c275a5724b4041071521fb08e4bc146b3337d419b6e21
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpf4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJX\\devoptiec.exe"	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB80\\optiaec.exe"	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
2860	devoptiec.exe
1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2860	1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2860	1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2860	1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2860	1728	01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01a52614038ad81a8c462d3eacb52da5da9f65c78d45336457eb93dc11c467f2_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\IntelprocJX\devoptiec.exe
  C:\IntelprocJX\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB80\optiaec.exe

Filesize
2.7MB

MD5
f55da5e839b02eeb8c21cfbbc1d617e8

SHA1
9822a09a53297f94d49b7e7498b7ef1c7ac832ca

SHA256
36caff8c580a32a2132fc985fa4880f25babe4a61dc17d828844792ca17b20a8

SHA512
aea5325b5c9c04b5b1d3602b7f322d0b1ec9216f02471099072b82e7ecc178837f4f34130120b313c758c65203cf45ebe86509cc3ed43fb637c23281ea4c392a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
e97376d83a1c79e758e271b3be03a14d

SHA1
ef3a096472f7a3a429cf47513da4d1d28493d981

SHA256
350e7dddeabb71b443d84460fa0b8305d70061dc9e151b0dc8d4f4cbfc4c4394

SHA512
a7766a5e4359ec6157114c23aea951538671e4e3a7e7fbc2ce26f85eaa5d8b47498f92351d3eda86201cd1717aca8a096913c021dfc72786c4f1961a766d79ea

Download Submit
\IntelprocJX\devoptiec.exe

Filesize
2.7MB

MD5
f28f2242e0271c055b9218d7a7716c0f

SHA1
f79e595e3d88a4bcd133b150e3c75ceac9dfe2fe

SHA256
adb6b4957bb70edf25221426090911f8179e363d76b865f8a5df03e3d623b9c6

SHA512
477ca01f2e47235032620a8f135f432d4a74eed0ce0ef767364188117d856a367c79fa3171072bf5ae271f58972975ad0b66c87f3571783b48b05b3b400b480b

Download Submit