Analysis Overview
SHA256
a7c277acbfe7f94d457f365d6998fa23965ea5f71bab9c49d4e158293e36d1f0
Threat Level: Shows suspicious behavior
The file 4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 06:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 06:46
Reported
2024-06-02 06:48
Platform
win7-20231129-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesLR\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLR\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTB\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2880 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | C:\FilesLR\aoptiloc.exe |
| PID 2880 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | C:\FilesLR\aoptiloc.exe |
| PID 2880 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | C:\FilesLR\aoptiloc.exe |
| PID 2880 wrote to memory of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | C:\FilesLR\aoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe"
C:\FilesLR\aoptiloc.exe
C:\FilesLR\aoptiloc.exe
Network
Files
\FilesLR\aoptiloc.exe
| MD5 | 20eb1ec590258cdf17dd73d50de667be |
| SHA1 | 9bef0e818390bc0b8c58811c3ec060cb4c066f35 |
| SHA256 | d605f1f3c0f397095e3896b5ff641a49fc3ccb3bcc83664f700ae9f2654616b2 |
| SHA512 | 3de935e3942d40e2a1cf2f7353e59c2e62cf3b09c78ca7d37d5b5bb3b118dca3a3c6ccac9d9917db7702e8ac2fd3565626d26953c7673e5612ee3fcaa8e17a4b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 592599b51f5e413be2f4d54f2d338f73 |
| SHA1 | 66a16ebb1794a3fe63342fa1434ed2b1d6c64bed |
| SHA256 | 9e649333cdd5c2c58b1d41e67d009d9b34ad6206c7fcd33b7ac4cfd043722887 |
| SHA512 | 3e2f3405e8f3250c1cd505336a6bdf721b98336028bcbf51fed2561a04a5c3b48e924610640fed85f2a62f1c89834287c06925cf29d0bd3831751b7a0ad1a4ba |
C:\GalaxTB\dobxsys.exe
| MD5 | 465e6d58a09c4dbf2e9827be080e3a71 |
| SHA1 | bb002dda1fcfab4b585690a4ed10de37be35b712 |
| SHA256 | 9abf78a7f7bb96af2fe6a3712de44e18ba98accab5216058025da888e40ccf17 |
| SHA512 | 7a9bc8761b23b39cf235c08dde6715bdc3c046464068a796939d30c9ff2c80ef4024c9fe82ca759b9960bd04b766f6ce90170612204af15ba0396f3600f4b725 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 06:46
Reported
2024-06-02 06:48
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
102s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvAY\xoptisys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKC\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvAY\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | C:\SysDrvAY\xoptisys.exe |
| PID 2976 wrote to memory of 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | C:\SysDrvAY\xoptisys.exe |
| PID 2976 wrote to memory of 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe | C:\SysDrvAY\xoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a7cff2f45f93a211942065626689c60_NeikiAnalytics.exe"
C:\SysDrvAY\xoptisys.exe
C:\SysDrvAY\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\SysDrvAY\xoptisys.exe
| MD5 | caa63f1252beecf462d1241d0a1cc27a |
| SHA1 | 866f8c11bacd7b9b2c9e2c7e1c970d2a3b1253a0 |
| SHA256 | 7db85114a5b9d20e3f32ed8e5b1d31a3d3e1033256dfe4835b3cca4a2e4cd6bc |
| SHA512 | 7447af88a7d24b05914f395fd119ba9ace8c2e1ee4bab44bb2bca61687630e6b42d7847bd16adc8e32d119f96d14a15ee0a9ed90ff4003ffbc3aeec28e62cd75 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2fc13b93feea1b33e198f15e22982219 |
| SHA1 | f309c5111702e6608250940454ddf71b66f8b3ff |
| SHA256 | 2139ecaabf965a5737dcad1b3cd0f02a0c10857b50a84f089f305d8b6467852b |
| SHA512 | d66db5839b4999929f9cd09c6c6dce7b90ae372b80257ca1dba593b35e51bbb39c45b1957833c97ff9e95c8cceda8c8af3464e729d41847d5a8e24a79bae45d9 |
C:\KaVBKC\bodaloc.exe
| MD5 | a1e5d914a4b78d0f377ebb20f4b1a72e |
| SHA1 | 7d7a4e76debe739781c2eeb132f7d7d7b86cba21 |
| SHA256 | a33ace6a26353e6796f071da1660694215dc3a37cc03cdf3b25039861b3c578b |
| SHA512 | c89f69b89d2e89f5c8673313fde2e92e573748c6197d34a25ed35bfebcc4719a8db9152745b9c8b7812164ce0abca2c0d64ffd25354482eebde0f1f5108db328 |