Analysis Overview
SHA256
3735d14f857cf7edf29d8ef0b1669349056ca59bdcd8babd388cabe18b7a39e9
Threat Level: Shows suspicious behavior
The file 9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:38
Reported
2024-06-03 05:41
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotIC\aoptiloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotIC\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKP\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3892 wrote to memory of 1080 | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | C:\UserDotIC\aoptiloc.exe |
| PID 3892 wrote to memory of 1080 | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | C:\UserDotIC\aoptiloc.exe |
| PID 3892 wrote to memory of 1080 | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | C:\UserDotIC\aoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe"
C:\UserDotIC\aoptiloc.exe
C:\UserDotIC\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
C:\UserDotIC\aoptiloc.exe
| MD5 | b93ab5698acbfdc4bf18045928116b7c |
| SHA1 | 18bd27bce88bf56b6784e1e4d5ece582c3a752c4 |
| SHA256 | ed3fa6da6dff0a2f9a6dfec8f702bbce06cde91cabf7a4f3e5aa6bf400d42830 |
| SHA512 | b148d04118b41a4e7b9dbeeafb5ef79af6d3268f7b61237c5876ae27aad77e9308b8aad1061088f83b668e4fd414308eef0d0f4daa5907b7004707808bcc72d5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a41d4b66ed46d0dd0e0a498eb317099a |
| SHA1 | 2c3f914a1e75b27cd60493466de1931607907a24 |
| SHA256 | 413c7b0db91e2ac024f9c76d1f22bd794e7ea3ff9d67ae059a2c16ae11f9886c |
| SHA512 | 3b378f01f6f767b113ee74914f402e93e6e8a01082f026329c072e63ba9ee9d7f32a4a6badcc6d6d33506d565f35f14c7e8f53a1c9ba02a8bfd8684547a52981 |
C:\KaVBKP\optidevec.exe
| MD5 | 91ee993bfb73df3a295e4332f4aa10e7 |
| SHA1 | 3c3addacc575e97875327cd2fa9bc7e4ad47bac9 |
| SHA256 | 8162ec97568d694465ef31ec5336a4f9aade582fe26100d6121b72b4f475da02 |
| SHA512 | 50daf048bcf40ac2a35846b99b64e7bd30f2b988965de14915da552939092a987d902653f055d38efb94b2c7f85a18ede2b3456955359091f5c2d38b344e1149 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:38
Reported
2024-06-03 05:41
Platform
win7-20240508-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvZQ\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZQ\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFH\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1276 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | C:\SysDrvZQ\abodec.exe |
| PID 1276 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | C:\SysDrvZQ\abodec.exe |
| PID 1276 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | C:\SysDrvZQ\abodec.exe |
| PID 1276 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe | C:\SysDrvZQ\abodec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d5c2ae793487b558395677e40aa6e90_NeikiAnalytics.exe"
C:\SysDrvZQ\abodec.exe
C:\SysDrvZQ\abodec.exe
Network
Files
\SysDrvZQ\abodec.exe
| MD5 | f3e3d1b98d1477918fd5bab5ebaa2474 |
| SHA1 | 7b912e2313056ea6c8cbe1a07a743e688a9fe8a9 |
| SHA256 | a5ccfbd066dfc40e80cb5afcd7ae195cfd2df29d2342e7227224c2a89fbcedc7 |
| SHA512 | 498bde870d2f27d842ebadbb32e6c7ec9f4e3912b900d61b3b21457de193a8d9918b7f6913375e99dd6c6ca6eea17de98dc096e479c5dec7c2c2b8fbaeab27b4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b03f814030618e22fabfa7c793cc4abf |
| SHA1 | 9924e36b4ac2cb362938fe362ad5bbe39cb8c867 |
| SHA256 | 53dfa9755610aa5279faf7d32697e633a23b7bde4e03de5a8c8e73190b338b77 |
| SHA512 | 9c128a6f583d337ed8cfdb3758b791d17211e17293f399209a852483515adb4f368a3cb8ae1769a673eed9a935f8f1e04a0ff968072e2ac0469c0e9098d060f3 |
C:\KaVBFH\dobaec.exe
| MD5 | bbfb28d7becad79f2e0b7e2c0634b3e9 |
| SHA1 | 4e7e3ce3bf59c70035361d7b024f34ec2ee54bf2 |
| SHA256 | 23cfb91919a8109abe90bbbf804a3d1f86f93306d69235249f6f2cca9dbc5e9f |
| SHA512 | c8a186ad339d1bd6028e7b6efa004a92b50be7a8b8e796b7751dc7ffbe16d9afb2a2111d477ca10f19f09bbd7b1eb12405bbc63bb8d5512926b7f68d2d0361f2 |