Analysis Overview
SHA256
93d9183084538d1eaefa2f0914467c25768b24910c42a7dbd99020898adf0b81
Threat Level: Shows suspicious behavior
The file 187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 01:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 01:01
Reported
2024-06-02 01:04
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesWQ\aoptiec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWQ\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMP\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 116 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | C:\FilesWQ\aoptiec.exe |
| PID 116 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | C:\FilesWQ\aoptiec.exe |
| PID 116 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | C:\FilesWQ\aoptiec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe"
C:\FilesWQ\aoptiec.exe
C:\FilesWQ\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\FilesWQ\aoptiec.exe
| MD5 | 684ca3a59a619e42a32e6c2ae33c7bb1 |
| SHA1 | 12441ce9422a231c842f10331ae178d54dcaeb17 |
| SHA256 | 6a8ac606eeb7332c7230544130406ecac67cecbc06cd6b3d122e36e7d20974e1 |
| SHA512 | 9ca94fec2a6ec8c949c8f85151fc60d6b4c5587e499bd817fff3a7c75f5cbd248d8639e6de787707206233961d44685cfe1046d2c0716acd84be4f320ce76611 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 196068cb210e635c44dfa63cb8590f74 |
| SHA1 | 384f7634fd7a3a40800d987f3a1119c21ee92538 |
| SHA256 | f2a877a40d9c767c07f117d6a326c9278d961ff871a955d407abcb78946e042a |
| SHA512 | 33b65a30d299f21c71ded076d75d7fc37decff94f18eb5ee4eb6138a2fbaeb773505f915f9790490945b64d3a6994f12ada7193863a0401b8bbdefe2484b10ef |
C:\VidMP\dobxloc.exe
| MD5 | 314114e52316a1a85265da9c40fbc967 |
| SHA1 | 0b4e102bafb9d477b965becb428f9dd788b12d9a |
| SHA256 | 9b8ae7bf2c86ca523618243d07ae002e3a246583d1155405b0727086dba96ae6 |
| SHA512 | 3f74eb27d4ac18a890c9765d9b04d03ef8bc0952771a543192a2f001496c7892ea16c4c1b5129d5aa87a9379d24b3fd9df3eb1642e865a8a60dbccbb15dc434e |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 01:01
Reported
2024-06-02 01:04
Platform
win7-20240419-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocZA\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZA\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxOH\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1008 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | C:\IntelprocZA\devbodsys.exe |
| PID 1008 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | C:\IntelprocZA\devbodsys.exe |
| PID 1008 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | C:\IntelprocZA\devbodsys.exe |
| PID 1008 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe | C:\IntelprocZA\devbodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\187d7125a1557a8d51f8ce5d46e93ec0_NeikiAnalytics.exe"
C:\IntelprocZA\devbodsys.exe
C:\IntelprocZA\devbodsys.exe
Network
Files
\IntelprocZA\devbodsys.exe
| MD5 | 49312c3df95a490723f83af865f67681 |
| SHA1 | bd83fbc295f7970bbfbc39de84dcf915918eaaaa |
| SHA256 | bead5a2b2e4e03cb59c524e650edaddf4ee3c2f6a67d29ffbbcc30e6e5d5fe92 |
| SHA512 | 46c2c33e0bcebbc8ee28b82f68767d61c5488b562f881ae87f36104b4e6912d822e4ace5bb709040fba1f99d7e72279fd452f155463858670eb04aa2589e8b32 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6efc207ecbcf710553722d950c771e84 |
| SHA1 | bffd4a20bed594bc04568e6d5d86c45c5788b4cb |
| SHA256 | fc6a986df83cbb5ab246a11e5660211c89ab2f65f829172d797609e199c15bd2 |
| SHA512 | 14bc0e4c7d1e301149ee1ea28bcdd5055f43522d72087a1ec1975cd2a24adfaac21c5f02711f94fb11eab95888d3ee14781e86f8c01ef43d9e5f4726875ab925 |
C:\GalaxOH\optidevsys.exe
| MD5 | f84d2021b356535f6c475c8935ac2344 |
| SHA1 | c2614160139f7bfb92586b04c491539eff04f91b |
| SHA256 | 535ec41a53b90d2b02ac47e95f31048f687b41ac6eeaac6ef2175baf1c4a1045 |
| SHA512 | 797ddf04a7c3d7e4d20c69114e6ae190cbd358f5a8caa8c0f1052d99cd890150d890f828a58c08156513819a96b74839aa8ad1f1d99fd33d4e314c36230dc0a9 |