Analysis Overview
SHA256
66c33a9208b49e22e0599b4b7d8cfe225e5def35c6c51390c3494aeb646a6b66
Threat Level: Shows suspicious behavior
The file 9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:26
Reported
2024-06-03 06:29
Platform
win7-20240221-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\FilesCC\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCC\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYV\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\FilesCC\adobec.exe
C:\FilesCC\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | a463b2e89801d4cc4b77ededf9bbfdab |
| SHA1 | e1aeec8f8397619b3d00b5276cbd198005370712 |
| SHA256 | 4b8a9f0056af56c582d57ecfdfffc8babe4d5676e4f16fe78f1a48af08df6bb8 |
| SHA512 | c5ef2c6d86524c699f1184a539c7dcaf50f1320a56c74667a5ec127f55e9d23c34f53862c4f39618b4072aca0d9e790c9b60ff45773620e2c3711bc8511c51f6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f1fb2ae8d7adb602fb5467df02fff3f5 |
| SHA1 | 9960171b859421ab23700bf83c4184876126eb54 |
| SHA256 | da0121c9ac423e29ae3ffca605c8848c12bb0153f8daf21a26b25a1a14512a57 |
| SHA512 | 0bf5b29063c9dc5a3ce53420d5b5a29e2bb7dbf6657cbb66a9bca6d770409479b949c0c6d33dabe801d966c14b3bd158446a10ef1199f96be1cb930c17f981f7 |
C:\FilesCC\adobec.exe
| MD5 | d14c9d440951f97da246bca66289e102 |
| SHA1 | 26e0bd0fa6c6a07ee377c4e2d066aac4336414e0 |
| SHA256 | ed344086e7dfba6fb60836d5cde1e0a7322a249822fb8b39ff018c01970143aa |
| SHA512 | 0dc2877cddbdaf21b59786fd7d10ca2883c1ea72d1ae702286f724c90086c95650ee8ff2112e8ebc74c36b958e975a31e0f53cb52ff45c07346add0a3c285d90 |
C:\LabZYV\dobxec.exe
| MD5 | 4fb66dce3851c29512925714ac87ed3b |
| SHA1 | b7a193fd38540861b90a0a104a9ca229b6af3b82 |
| SHA256 | 0d830664a5c4c2b20979c6e10f2e6aaa05d6623edcb7a4b76b2f45014353f338 |
| SHA512 | 3a69320f8bdd28deb0979830c63c1d044518c2e21cf3e442ddbeafb3e064a1a116b5d6c651dc90c233b1b701f33ab105d60b2b3a33aa22d667e92b14fbae54c2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5bfed478655f85b8e97d134b0b6d95dc |
| SHA1 | cf7c2f509c9ab1130efd97c37639f0490b817de0 |
| SHA256 | 81902ef4c702252e6efade345803515d16697202bb2ff8a23de9be7684f5f014 |
| SHA512 | 13aa9be177830f2872e6d69b68bbb019b375500932c576da931443fbcfc1836bbb124f1d88677e91e1adb5a36788435be0a8f2be7c5ec1175a7baeb5f45e61f8 |
C:\LabZYV\dobxec.exe
| MD5 | 55fdea2b148451e3403c94d25e97c6f8 |
| SHA1 | 554b37b3bae20f1e4a193b6bc261814db40ac321 |
| SHA256 | d4cab256374f7c6d77ac25d39bf4083576c94bbf6f848fed8cca33acd1626b0f |
| SHA512 | dc1da74cb78d7101cca5ae9311eaac87b29409889e5e731eea946849b095c18fb6200c0a3819bc135e32147aa309d787cab798dfe197d5598371323e65cf9694 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:26
Reported
2024-06-03 06:29
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\Intelproc62\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5L\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc62\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e9dfa528e71798616df8ca4a6a95db0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\Intelproc62\xoptiloc.exe
C:\Intelproc62\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 270cc8877fdcea5a71ee010fe743ddd1 |
| SHA1 | bb345a788f8da54110d927f84065e25332a28718 |
| SHA256 | 74236842242ff75fc644393cc2abfe8e64006c276ff301af144725e44e51a10e |
| SHA512 | 681260d8e0f8ad75a540160fcd31e1657a29e292351c6df02565dc29284115e95454cd3a0cf30f27e10d04326f75e38fe704e8823e6e8dd9a93a235ac70c1051 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e2eb5e8d15266ac4897ca2ab283a4064 |
| SHA1 | db0c33db784a93172dcb31e0ef0ddbc67b4a1ce0 |
| SHA256 | 30bace3ba5dc599fd60691a4996efadf0a29acf5e8d60883c8ff16f0eb8a36ee |
| SHA512 | dfc432aaaa62f73e910d43b9813aef6b3879e9e3a259117037dae51bcd32e317ad5bcc9adb3a230a5693e48c6d7ade1648c398a26410d8ba1ddb21991fc53211 |
C:\Intelproc62\xoptiloc.exe
| MD5 | dc45faa7c83ef2a293cc62b2ff99ec8c |
| SHA1 | 10cc68b8a51824dfcd13ac6dfcd9687059541b9c |
| SHA256 | cf4ad4012aa3db56fdfff56a642349d3425ebdbbc3a9e7fb49f9e3b0b72539bb |
| SHA512 | 064fe363abd1073ba65b3b80cc06a59889a7b1cb444b86cfb026965bc6115335b0b99094ecf3ea2e4a527f6c7bf0d3442ce2dc0da92d406ea5496fa47915abe9 |
C:\Mint5L\bodxsys.exe
| MD5 | bf300a9e3277560d4b50c221fa9fb4e9 |
| SHA1 | 660a6bd150a8cbdedc7d74cd4d176d969f18aaca |
| SHA256 | 8dae153d0516cb73600ca020f735bed14a5b5495bf1ff6b41aa074c1f201ea85 |
| SHA512 | 11ae9322ac2eaa221b867e3c6126647f72558db74f0111b65188b27dfc6bd783c5182910a9662a7a9c8532f27e030029a15399eee1a0c710311a59f93b204190 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7f5e3d9cfe4852b6e4ff117ced7a3b47 |
| SHA1 | 55592bc98a61b09a3d3e1a42274485541002e7ea |
| SHA256 | c8605f469d4cf5942a42e52c9052345af11ee4ac32d98151ba70e1022ef3c8a6 |
| SHA512 | 59100135d19b202e9e3ba9336ce8f7b2667a47aa99fe371d5ba54197c52bd5e421cd0d890c647d713d77a979593cdfc2c02693c974b541788405ef64a1f72fa6 |
C:\Mint5L\bodxsys.exe
| MD5 | 44b869290db59320677e231a158ee2eb |
| SHA1 | cc64838a116e26a3d36f80234239d945c0ff2786 |
| SHA256 | a4514aefa0433430cabce0ee82ef54b762ad3294de4dfcd34746af896bd695c9 |
| SHA512 | 5475e00060068c065eb922e3ba5b6a43bb0e12600d8e5526f3a684102767f34bd680e3e228f4d2cea98fd0a19012255cdaa7f799721a1965dacb3cf4ef37a0ab |