Analysis Overview
SHA256
fa154c649cd3df6fef0a1393cae5c74aeb2e24875b9dad06fcdfce60a272987d
Threat Level: Shows suspicious behavior
The file 9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:09
Reported
2024-06-03 05:12
Platform
win7-20240221-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocF3\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocF3\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZI3\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 324 | N/A | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | C:\IntelprocF3\devdobec.exe |
| PID 3048 wrote to memory of 324 | N/A | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | C:\IntelprocF3\devdobec.exe |
| PID 3048 wrote to memory of 324 | N/A | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | C:\IntelprocF3\devdobec.exe |
| PID 3048 wrote to memory of 324 | N/A | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | C:\IntelprocF3\devdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe"
C:\IntelprocF3\devdobec.exe
C:\IntelprocF3\devdobec.exe
Network
Files
\IntelprocF3\devdobec.exe
| MD5 | 6202cb5d7f847f70c0cb5ba8152ba729 |
| SHA1 | d1a7f9fe789319c62a313497f7ae56bead38ee78 |
| SHA256 | 6ca46808494c7ef5ff3c57cae8fae9179824e3a874ae2c9ce9b19de7665472ae |
| SHA512 | b89c30601fe845cf9af6168c3fa78a6b88227d2075e0af91529c21106f15d86d651ac6e677b0be63eca3eb23eb298a3c72d8e8e59de70005dbafa5fcfd33811c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 32349e6f9a6186efc63703649e0df12f |
| SHA1 | 1588b21c4688cfcca2b8a8056ae3e598dabc699c |
| SHA256 | ffb15274b889ba49986269a1385359ad0f9d9c53d51856d965627bb44f138991 |
| SHA512 | 68326d690c9f95948a7ba2bc76b37607ca4e51f9f8be5e2b102d804c40b5be24ddd4c94a0d25fe4f1fea18c4f4fa01ccde4c631ba228fa7d432b704556e6fdeb |
C:\LabZI3\optixsys.exe
| MD5 | 66f47fd40782318581bf447ad5b613a5 |
| SHA1 | 33c0f8550b7360562ee3cdef13477cbf4d4c29f8 |
| SHA256 | 02e9c6ae6a086791a6fdb40bc1b3fbd0007f5453ef9e75b1177dfffbc04da240 |
| SHA512 | bb19bb04478b0c092b78eee16888f454fba2bfa16755e090faabe678722141312a2722c92032ed920fe072c6c06288cbd75787e37cfb4cb2ebbb50966b3a94bf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:09
Reported
2024-06-03 05:12
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotEL\devoptisys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEL\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBS\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 876 wrote to memory of 3784 | N/A | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | C:\UserDotEL\devoptisys.exe |
| PID 876 wrote to memory of 3784 | N/A | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | C:\UserDotEL\devoptisys.exe |
| PID 876 wrote to memory of 3784 | N/A | C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe | C:\UserDotEL\devoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c9d7179c498b8e79e48943f114d4d80_NeikiAnalytics.exe"
C:\UserDotEL\devoptisys.exe
C:\UserDotEL\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
C:\UserDotEL\devoptisys.exe
| MD5 | 1fb08e34228c483e5b7d8831014b1a07 |
| SHA1 | 669ecde12cd02892640dbc4e3dd858efb71bbcdb |
| SHA256 | bc5e31a859e9f14967a9ecbb1a28dc5b9fc56d88b85a14932ca8091ce527b1ce |
| SHA512 | fa953dcc111d27eda271d7ffa1d9aaf54f75342605815d09df1b3307e8c62becde7c15c2412304ddb0679f1459c3f31e11255b3bf634b1b06b47599b4a73bbc3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cfa712f945067cd7c5543527392126f7 |
| SHA1 | b6fc3a4b69cca8e56fafd5957ed79bbca166650b |
| SHA256 | 42bc7688e27ad5f6c8cae7da25300968675bcd4022c98b45d603d00df4e4cf61 |
| SHA512 | a3fca78df1f735edebbb61f0c2e5e4b52906ecd2da0938152bcd6ce0b56f0dd95f87aa3923e862028f6c70ce57a82236c3246a7ecd3b06793df1a12a1827d196 |
C:\KaVBBS\optidevloc.exe
| MD5 | 7932b3911ddf3ce8f34b8db3c202ffd3 |
| SHA1 | 12ed0926eec2053c7a222299ca42044b9f560ecc |
| SHA256 | 22138dd2784d3216a5dd68658eabc116016513cca7bb429013b4759913897d36 |
| SHA512 | 5c8c9434dd87a7fcac2efce33545840a6b2762f6fd7555d6fcc3a9a7502a963da2a45e72d11970aa04a73a2045933c9fd9ae2b517bbaa98d841d0526c55b4fef |