Analysis Overview
SHA256
1094b422dc1c23ed84d6540f69575013d88a4f64954f996323c6144313ea090b
Threat Level: Shows suspicious behavior
The file 9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:13
Reported
2024-06-03 05:15
Platform
win7-20240220-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotZ2\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZ2\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUT\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | N/A |
| File created | C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'locdevopti.exe | C:\UserDotZ2\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2792 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | C:\UserDotZ2\devoptiec.exe |
| PID 2792 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | C:\UserDotZ2\devoptiec.exe |
| PID 2792 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | C:\UserDotZ2\devoptiec.exe |
| PID 2792 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | C:\UserDotZ2\devoptiec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe"
C:\UserDotZ2\devoptiec.exe
C:\UserDotZ2\devoptiec.exe
Network
Files
\UserDotZ2\devoptiec.exe
| MD5 | 9efab377a2565be9ae6df6d6b97e51e3 |
| SHA1 | dbd2067c38d6e6dd7a3b9e7d9d0b2239f6220756 |
| SHA256 | 35e922235d8f232b4c02752d051d04c8309321468ca4d0f7ac2b82177dc4f81c |
| SHA512 | 69210f6c62714a1adeb5e65ae8ba7d6f0090e9676e8d7eb3ffbb3db8ea487c3b21eb76681c5739ab79a0274685677d316248f9f0d5e9769d7a48b4b681db1633 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ec1ce32606863463608fa687a0c6aaad |
| SHA1 | e702c867b9c88b34a2b49120979f130f2aa84b74 |
| SHA256 | 70ce021a357d83146d1aa3ad48d9c57261f4e52e30e9c1f2179e286ce922867c |
| SHA512 | a4a07676af4011c56937cd88579f29383ce33cc13f3e024b54a72c86153f6c27d59ccbf05810bccbddc41fee27a30b4b01bf691242a6020656fe285c4270fde9 |
C:\KaVBUT\boddevloc.exe
| MD5 | 838728b2da932c7e297dfb7388f44444 |
| SHA1 | 20cf40c9889f94a9ae73e316d34d2e23fa897799 |
| SHA256 | 636cae2dbf2006626bd4e22d307ba81c1163db7a3a1eeda57af638b56b0544c6 |
| SHA512 | 1db1b7c5247e14221a70ab4e4cbe8650afb020af6b2882adec211d798ddb24b16b02c8fee16dc9e62c1034e6d6951fa65d3a4468d34a9cf66a14c1f524b7df46 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:13
Reported
2024-06-03 05:15
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesOH\aoptisys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOH\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8R\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | N/A |
| File created | C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'sysdevbod.exe | C:\FilesOH\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1688 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | C:\FilesOH\aoptisys.exe |
| PID 1688 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | C:\FilesOH\aoptisys.exe |
| PID 1688 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe | C:\FilesOH\aoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ca72f8eae57204b14b8e9a20d2b6d00_NeikiAnalytics.exe"
C:\FilesOH\aoptisys.exe
C:\FilesOH\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\FilesOH\aoptisys.exe
| MD5 | 6427be36934c0005e1c2502027fe968d |
| SHA1 | e809840e2ffadc1856cac31e414cb6ab47e119fe |
| SHA256 | dfcc5a157ca1d962517b0b4f8628696dc24f3fdc3f50efb6641ee14613a626b1 |
| SHA512 | 6ff5b4f72b22485bcc3e1c53a48215b8e7a2ebffcb6b62b5bb22a5f41236db49422d956617163de178d6e68ddd0b51998fdf0f107104b566df21bdcfc515d8ca |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5d32105cc229214f6a8bf27b911261c7 |
| SHA1 | b373bb8242a1119ae48c1ade4ff543f571e0f6b4 |
| SHA256 | a27d2adb9fcb3210cdcae14ab9d4943355b1acbef0983552a68f58eeab36650d |
| SHA512 | 886753c34286ae9a1b0af2414d3daaaea54f13239845a3ed199a4255e0c272128f8390613fb15a62784152df112d84a2f4f2708308850ab9f4446593cf53374c |
C:\KaVB8R\dobdevec.exe
| MD5 | c458d552c5f6b6076e0f2636e858ad53 |
| SHA1 | 2561e62dc50ca4220b664dba6ed258d393b3d72d |
| SHA256 | 4d40b7e597d67452450afba41a8d328169b4d2d598e534dfa7def99a34d74404 |
| SHA512 | 3fc6987ea70d25388f0ccec7a541ee68337e5b1648fc86643f7c607f2bc1c3ea2a1f0500266b598a4859021707c470d3cb9391b30ad8c0a2b06f9c6d4b23dc39 |