Analysis Overview
SHA256
ad203fac83feb2654cde73778509b316c899f7ef8383e706c8708f91fb0907e9
Threat Level: Shows suspicious behavior
The file 9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:22
Reported
2024-06-01 07:24
Platform
win7-20240221-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\AdobeKN\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKN\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRD\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\AdobeKN\xoptisys.exe
C:\AdobeKN\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | a58348d097e8b6a4c219f21ef2278bd9 |
| SHA1 | 5eb6dbb5df43819493520630063c0900d4cc1e8a |
| SHA256 | 465503084cd5c810df072fe04f6520b87d19a654cb1ea615b8117671e2d1b6e1 |
| SHA512 | 81809f86a3e8c1e27cef3cfea61202096bb24a17ba084e8a16f82fa0c3775198b33e70b9c4962b7e91fe87584cd2bb8146f0d889d436809cc831d391d4ebe36e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c3cb2dd504e1e76b44b5f5c4e2610e06 |
| SHA1 | b501fab865d601a7ed064b8f007f051df726989f |
| SHA256 | fb813d7837c8f4b3d88546b716814597270af1ae6223dc470dc1331c67ce2c02 |
| SHA512 | 9bdfee563fa2902388468802302636c49215c78468f1a158bae002f2b18cc19a78a1b629d7ce6768c0db1c330ea42025fe3d027dd70859cb378b34b5305a77ba |
C:\AdobeKN\xoptisys.exe
| MD5 | 159cb0aaffe6448704e4011542cfd64c |
| SHA1 | d118e593474789e90b400b418fe5698321d5eba8 |
| SHA256 | 07be9c3df18fd321124656f1cc58cfbad80ca7611e0a3e7773bec0041ffe7090 |
| SHA512 | 242627838f6a3d44a5438b060f9d3ab1ee60ed6d9a1983333155d2b458d1843d8e4dc955ac36af37b811f6c06064616381bb86b0840a5fea45e7a691525c124b |
C:\GalaxRD\dobdevec.exe
| MD5 | 761b9a3f416c10f03ed7b1c469d5228e |
| SHA1 | 409647b1b673054bf20e1fc0930980a4621f6da0 |
| SHA256 | 82a821533670350ac98e60c964d97906c2fdaa458362fe37bd0ffa2edad00529 |
| SHA512 | 87032fb81518b7bf5575097dea7d0b91438a62298bff461194e5808417547b24830ddba6ecaafb739c01da7ad90403ed4f474d1711f6d3240183513a48f83878 |
\AdobeKN\xoptisys.exe
| MD5 | be2ff1dc15fdde1296d85a06864f5d1c |
| SHA1 | b8b4862e7dd47d8f4e0b6e798237ddf2bb098aeb |
| SHA256 | 7d2ef72a0e9ba3932cc16d452eb62cc03d61508c8f3874c406ffed0c28aabcd4 |
| SHA512 | 82020fae8f2402c7837a8a4214668fa0ce0e558d6ad6765bcb3986d2c488bba5e2920a246de0a87b4cc962315da351dadb4bf1f3db8396253150bd83c01b429c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 155579dd3159a0882cf2135a3794e844 |
| SHA1 | cbebd78c6541a48f7fe31dc5ddf76803976730a6 |
| SHA256 | 86553530422bbe5867dcc1c5b3480bcfb5ce2cba0315d3ca4da3b755d184e8b0 |
| SHA512 | c2ca3c3dd6319c13a87dab0be3d049ace7bcd5f15c12cdb64a466f9911f6af76c9ea7b536a977fbc779e70fc8e689d0cdcff868771aaa581c9e07b560e2f3b60 |
C:\GalaxRD\dobdevec.exe
| MD5 | 3ffa38fc481cd4e85d44d35731907b68 |
| SHA1 | d069e35dfeb4c91b7ed2a88ee204f377d258ce6d |
| SHA256 | 16908559f8dea4738a78ad7257a3d3b923feeec542e542cae473adb700bb47d3 |
| SHA512 | e0118ec6ed6d1cda45d28e2d07c4c3c41f1344cfe97611766174c4d887dfec7b2e25251c8e1d126e83bc1a5bedd867b4010165dc15064070c9d44734b39f880e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:22
Reported
2024-06-01 07:24
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\IntelprocZZ\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZZ\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1Z\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9276f79325ba0e41da5ad0d602c1c340_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\IntelprocZZ\xoptisys.exe
C:\IntelprocZZ\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | cd15e55625190cff78b6d1b7dbfc82f4 |
| SHA1 | 1d5899a01d276a6352ab6943d19ab55720040be6 |
| SHA256 | 75dd5f8e34d072304537e281c903e1312205e41c044226c4c36c3b12e5621910 |
| SHA512 | bed01f9a6b2503fe2e6d96de35de9c1af5eecd5ab94d9cdb265a3bef18a493b75e9d28858ab6bec46c175baef2f80f6d41ed577eb0718aa4b565e3941c49e96f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a5982ed2f106f3141848f3f38a69421c |
| SHA1 | 333a330c685dcc1b06f0baa4461e83aa030b8699 |
| SHA256 | 30e3f615ea111df612cb4e2317f5f3bb9693f0a261f8240b9bfcb6b5c4e699dc |
| SHA512 | 8237ed103e0fe58264016addd2f8ed8b6c32773d6aec9a723f38c94ca06e05e0d1da9f471470973ce2e15786a3077dddf70202b2f7b8a4e3b4fc2ea8765dcf77 |
C:\IntelprocZZ\xoptisys.exe
| MD5 | 66f104ce847af6497a77e415669d43f6 |
| SHA1 | b4120d61862f538d7a93b936e6fceb5c402e0168 |
| SHA256 | 22620d92667f3f6fd4b05b6fc9ad9ab1220499a2b70c12e0ccba9d2a98bca301 |
| SHA512 | f14378115e54d9156717b9723d8b90b462c3ba19d99944cbd8a17c7149d946f0c3bd5f10553cb71dc73e6b0ce10efd93e9c401e11daccbeba0c5c770aeedfaba |
C:\IntelprocZZ\xoptisys.exe
| MD5 | 35cfdcd973a4ea32d028104a8ea454ab |
| SHA1 | 7d806f49b3588cd6749c80e36373eaf4a4623dfa |
| SHA256 | 789bfc91a9141d63224a60c758d2af419d7eee49b0c0046a2063c23db91a0ef5 |
| SHA512 | 56d011f91865cf08d1dcb9c812ac794ef5ef77356678e7a28723a0624df4059fe63ec956e45409587a6b96f2b384b164c1f0c25af50516503f517f57b590fd31 |
C:\Galax1Z\boddevec.exe
| MD5 | abb7e73e082fe6117853845dcc636114 |
| SHA1 | 62158cf48f0f80effa30bf69e7efaf221d8eb73b |
| SHA256 | 8ea47db9373d794fba0becb0f4f7b864446140b47e166eaae678e0864c0806a8 |
| SHA512 | f0cbc2482da46615b2fcc5030ae54ed64c9342120a5abd633904a8ef038f02d650ff9479605fdda93331ef7bb104be9306e38da23068098585915ef9cbf8ae89 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 47ed95f3dbed7d311263f96dcc6b0542 |
| SHA1 | 88c6f92fa9a2cd6cc2f06644fb768856e82d2c4e |
| SHA256 | 9dfa26834ecd0b9ab99012e854507775dcb6952632d9a86b62a2f7ef60c56c62 |
| SHA512 | c60879f8f525133f865b58e7127c2e6b93415fee7d9d7eaefa22a00195e219bd68675651c280f73a43e069c21fecf0c807c486ae4a587a342d706b86c7590819 |
C:\Galax1Z\boddevec.exe
| MD5 | 763ea54c35ba68ead33cac1d7bb8a096 |
| SHA1 | 9bccaa40fa71198259953d8d57840bb5b9f629f9 |
| SHA256 | ae36c5e8899eb8d2ae1b1530e024ca65ed561736c291147de54a7976305ae88d |
| SHA512 | 14b779c7be974dea8903f92ebcad30e360b775d434d74669f97951157b4e75cbb8f231af9098bf390775b3f1af1165936224a7332e9f1d93c95503f5af6a3866 |