Malware Analysis Report

2025-03-14 23:55

Sample ID 240603-fsqb4sce6v
Target 9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe
SHA256 c297b78de4335daddb9f131bc31dd0bf8120b5250ba072d13ff3b24c05f14b1f
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c297b78de4335daddb9f131bc31dd0bf8120b5250ba072d13ff3b24c05f14b1f

Threat Level: Shows suspicious behavior

The file 9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:08

Reported

2024-06-03 05:11

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\FilesUU\xoptiloc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUU\\xoptiloc.exe" C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJV\\dobxsys.exe" C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\FilesUU\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe"

C:\FilesUU\xoptiloc.exe

C:\FilesUU\xoptiloc.exe

Network

N/A

Files

\FilesUU\xoptiloc.exe

MD5 2b2af07c19285523e1564be26f4b0628
SHA1 6e3518be6f56c7b6d2276c7b5aac20e99b9014a6
SHA256 bcba3976780c318dbc35149ab17ef0d04a31cbb3c785d3bf98ef14157b99d129
SHA512 f4f96f999bc36041726c6850aaf798ae9c4fc8c15b86815e172da7e1c91fc8cf074fe0f2fa6ff39b85ed2b91e6e9070c289c148014b572906fe0a2da26e5e41f

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 6ceee7ba3bfc2e2183f42e6fc6f4a4bb
SHA1 1cba22205524c8171670ab05f3abee707c24727d
SHA256 e675d1f35f9fe26f3cc453d566bad1e32574cb405da16b3a339abb8835d69071
SHA512 c2581b726057f3176a683f93ae67de8543d6a4f12dd9ec0a7366557f1d928e1a701471ddcdc61f0e324616222b32be17d75568b7bceca06e239321ae7f583623

C:\VidJV\dobxsys.exe

MD5 33dd03a4a7462fa1606cf27d69bd263a
SHA1 645776080ba835efeb9605af6c1060eb5599ad17
SHA256 e40b695d253279f2303470daa3e017a54607580aeed5b05ce20ef38319deb5e5
SHA512 046a817ed6ae338d898cde1f77fa0b7265dffbafdc143642c5559eb4c643d277088b1c062fb6956a84f5536afd2f178f769e6304a8186699f0351c11a4c57b70

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:08

Reported

2024-06-03 05:10

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\UserDotP8\devbodsys.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP8\\devbodsys.exe" C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAO\\optiasys.exe" C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\UserDotP8\devbodsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c9278106e502bd3a65a804b6c03d850_NeikiAnalytics.exe"

C:\UserDotP8\devbodsys.exe

C:\UserDotP8\devbodsys.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\UserDotP8\devbodsys.exe

MD5 d275577270871bfc64623de4957bfbc8
SHA1 11b023e093a48a237018e58405bbc1be0e792d6c
SHA256 217e8964205d9aea304f9b51a5870730b3c856d91ea24ff89ec4c387a7923ea8
SHA512 1bf01ea53032a36f488fe1520e2d3ef64d2ff7f3edf5977fc64ab89c5a7734a0832f23350f8c9421548082030821dc125cf7278326e7b3efbde58c22be9c9d80

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 43fbe079aaa4f5da07129b13f3271653
SHA1 fdf022e5285338fcac05dd6ad38c2e232cebc8cd
SHA256 08f999a5d0ef7d3fccf1241eaa6db1c90ba931639bf9abaa94b59af7c443a991
SHA512 03ab243cc7cb0652d2dd7caa8b6bda9faddd33b9c5f929bd1d93f1f3a46afb63b92e1d90fa81d16b6f038720d68ba0b74a42d7a11ee68968c6f2ef5cdee2a583

C:\VidAO\optiasys.exe

MD5 feeedd3354f177149f741107f13a4982
SHA1 cb06dad3e7e058cf1e0b70f7a65cf976c0788a03
SHA256 e41e3123e8e9ac8e60645f2aa2fff981f18852c6b50eae899f0dc5028d75d090
SHA512 d5587069b6f506946ecd309e9a4caa55abbcb746a2ace963c3a99c8ca121f194f2c7bbf26e129dc089576cfb904b728b8a2981925b735e6a5788e5e3a5e80dae

C:\VidAO\optiasys.exe

MD5 6fbb7b4160cb89ff16a65657b66db4b7
SHA1 0c5cca49bdd5e5c23b40236b4355defee6151e7d
SHA256 6d0bcd097d9f9ac46de1553fbb2c2a7416305630d591c3a76762a1ad46e6c4fa
SHA512 f5801069da19819cf69069e89152bbae13e694c04baaf4d1461ff6c8ff682e3251c73f9d8dc5b141c9788610d00ba0106fca4ad06bd8d73f2b7230ddb967cb62