Analysis Overview
SHA256
eb45b1b1e94564e6e787e834b47a05992a334d8477cf310f387c35d87a4eab40
Threat Level: Shows suspicious behavior
The file 9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:37
Reported
2024-06-03 05:39
Platform
win7-20240215-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\AdobeHT\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHT\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZTM\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\AdobeHT\aoptisys.exe
C:\AdobeHT\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 67b41d7af47cdf11c12538a0a1b42dd6 |
| SHA1 | a49d2ea95f2ff2b8545d638492523d9bd79f2520 |
| SHA256 | 1be1abbcd41288eb2f127ce557985c7b48c342f09582768cb5be85a568b633f0 |
| SHA512 | 8250f3e38d02ae26bb5fbd287cd9802d304ba79f7d2d0cce3842ee39fe5f09cf957fc79c09d180ffd4af2cfbabee76be55f82a7f2989e94d3b9ba8ba45860fb9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 44b4eaeee7de1957f6afcb4358a00e2d |
| SHA1 | 40f0c198c9f7a0be17e7b447d406d6055a558388 |
| SHA256 | 08ff917f9ce4b47d56b3feafcdb0b4f5a65def2e6551a5f886b10c59f1109645 |
| SHA512 | 0be9463456612ff12da286f8ab4f4c534d1073ac01739bba502a73875a5e661bce362303071a4e637a9a7a11efc624006b29658aebf60626ff3420e9fb53fbfb |
C:\AdobeHT\aoptisys.exe
| MD5 | 2e5aab3550c91c456241b362b6d00296 |
| SHA1 | 67d3e88e8a75cb277b5d7b5810454c863c8c9b1c |
| SHA256 | 903d73368a245340dab5ab498326e56703b101e05fbde141acda2d133eedb445 |
| SHA512 | 82344b67c9853b9d992b5062c043afb545e5a516558b6d073eb76498a93f61f34e0dacc0a92d32176eccf853832ab6f84e313630b062620f4cfccf4f2f6a21c9 |
C:\LabZTM\optixec.exe
| MD5 | 4a4769d12111d060cde346c83c85e800 |
| SHA1 | 365afec67f46eda58de4f62169e6ee600d8251b7 |
| SHA256 | c75594548a1c75718352102c0bf615d7264cc5b9f5d00f344b2991d2285fde97 |
| SHA512 | efd6d034b57148ca3f33754c6d07ffb86a767bb914900fb155791236be98283591a2f98ced72d214fb53f174e836fd1ba333b35b43c03ccbef97fb4c0869e8a7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 516af11ddd54f872e3b98aa4f25f8c07 |
| SHA1 | b9286be0a42b9ed0ac212a8a1f9f59969655b52a |
| SHA256 | 4bdbd46b8b1b8bafb71d9014f5a6f22085ffcbc4f363da81aed4f8bf329a7e75 |
| SHA512 | 0582d28b4a85ecfc972cbf690834854b24435b4d9b9886f58c047eda3385dd94dfde927ab208a957fbfd409be5f9dbe0a3f70df11b88a8a8d67ff5327b888d3e |
C:\LabZTM\optixec.exe
| MD5 | b07ff72e8f6a5e1b266f3ea7d97c7326 |
| SHA1 | 4aa2e5611aafe6cb135b8344638c440dae097130 |
| SHA256 | 82f858d2b1fde7d3cd4fb07eacb17aa73e20c86e34994b6abf0c407cb4707db6 |
| SHA512 | c10ee4d7c5895023bee788fc95ad584025c509fd9258d3714071b8be3835a9a375eab03717d5f7b2976fc7ae6c921df93c7c00c60852d4655f5bf655afb02c68 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:37
Reported
2024-06-03 05:39
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvYS\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxER\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYS\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d5737ca0ecfaf990199410dbb7b73d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\SysDrvYS\xdobloc.exe
C:\SysDrvYS\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 22148873ac1e5f67a3dd987d5dbfac51 |
| SHA1 | 0235c12c848518dc145b9fe23945f988b5f484da |
| SHA256 | f682c08d9d8835ef6edc7dd2f0dbe51ee948de80056dfdd726311a06d2a89dd2 |
| SHA512 | b17ed7fb6a7a0914ea752b2ab826223866188a4e29e088a1cada702b365dc63411540d91e5f52db3557ee2baa3fee8d4b91a6469fb4fd7d4490fffc40ababff7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a93f202e976abca852241b1fbeb0a3cc |
| SHA1 | f72f0ecaeb6a5cae7d80cf795f00c8b4ce50b1ea |
| SHA256 | 8051fda54ce2f31c63dfcea55b933cebcab9591165d44d8154c5db811859c544 |
| SHA512 | e23c3cdf75c85f96c0c583655148066b7447151927f27d10de918c43e64399573fc32fe8e953c088626b430b3d5821ae92e2a15f5b92f4465af8f56f8b8c3cdb |
C:\SysDrvYS\xdobloc.exe
| MD5 | 866ccb6675f47510b9434b0f6c55b5cc |
| SHA1 | e06f4b6fbc958e3a10eaefcbdf889147fd8c5015 |
| SHA256 | f08144b770e4c72bb09f79284e3aa53a939b79221f3e51f72b35347b6d31748a |
| SHA512 | 36750b0f036b908ca8ad6229063cbee8372fb6ac5ae5722b22da06b5e22113098b41584818098c4062585be1eaa2b6787db80648eb60a53f1302a5e48007d529 |
C:\SysDrvYS\xdobloc.exe
| MD5 | e75e16488a65f5998af9ea123e3e1529 |
| SHA1 | d3037a483c0cb893d7ad28709b3527237225de8b |
| SHA256 | a96a0e04f0a751a710161ba6029a460d781839c608919a851063aa96935b7484 |
| SHA512 | 68dc8418b39fd9d0ce74d447e39f9a9fb96f2ca4a82500c5d4693a4ec596f739b41790882a12976ce33a719fd39ca67d594b0f197dc4f12472f37760c0cc3b8d |
C:\GalaxER\dobdevloc.exe
| MD5 | ec404dc607a7bce365c371372c732d22 |
| SHA1 | 4d3414b75d79d8d911c3947e95add02806762e93 |
| SHA256 | 8f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2 |
| SHA512 | 25f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b9544ef22ad47274a9637efd19ace85d |
| SHA1 | 0cb159323a128767f91308bbceff326356a97878 |
| SHA256 | d17bfba99fb77906527419085e7fbaa84737228a16e962a2093383d849fb7f65 |
| SHA512 | 24adeaef50a87c960142601fc607361981714fc3865c1139bc6d08cf26f303a44f13b698233215175377c7a50fe937cdb8b15d47882b587c0a7241754cf27883 |
C:\GalaxER\dobdevloc.exe
| MD5 | 30d1b7f0e0e00a3a81020d9eb7175e63 |
| SHA1 | 8c4fd2ae163063122acb913e5710d74531200b7b |
| SHA256 | 476e0991b0435f26db647ed5ad5d399bd2140ec037f30b144a6f3b413a6701f2 |
| SHA512 | 65139f31d60d9ae3e5f25fb35d2975eb4316a1de41797e569e8cbba9ba3f98fc978dc01e22b5fb200e5ae984516226b78eb0bee575050f1f82942871f51ae1fd |