Analysis Overview
SHA256
6e2ad861ed241273bea3ebfd5fab1bc106b7899808a5df5283d91f437855cd1d
Threat Level: Shows suspicious behavior
The file 9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:37
Reported
2024-06-03 05:40
Platform
win7-20240221-en
Max time kernel
148s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDot4X\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4X\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint97\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDot4X\xdobsys.exe
C:\UserDot4X\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 39d967c51861b76857518e02442afb04 |
| SHA1 | a48043bd5df90a7edeca171d457b5e808a34ea7b |
| SHA256 | 8e17d2d641ca850229740178f1691c694ddb4b880607113f31faf88b29b7330c |
| SHA512 | 70a650465d20907a2bf5f03dbb87599a7e5585bdda9dd3a588552fc5d8650499d95232d7e67e72a6cd8e5628c6ced5a6c67a85ad7cc63da45c9d00d0cf7ef7fc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 260beb2db3588c83f2bc4ecfa699e129 |
| SHA1 | b0d926146a4efea8d8d70acaf1743f29ae16e1c5 |
| SHA256 | a14c1ea3aaa108f962fb8f3ce79cf6af8f1171c91ba353e8594f2be0c06e007e |
| SHA512 | 5776a376c2fd63aee513d35aa1a7387536d240d32bb41aea91854579ae369545999a4fa44972fc512ccf9d05db90bc4e9afc90e00abf98c56fbc04167cb786a1 |
C:\UserDot4X\xdobsys.exe
| MD5 | f41ac4625c22e7e3df806ffb41ea3a05 |
| SHA1 | 926ebf4546f02c863f1e2d4af626c1c9a2f368e2 |
| SHA256 | f30709bdfeff2cc919090929db13238579544b2731268f91f87bff067ac64fe2 |
| SHA512 | 0fe9d1d45b58d09f7ce950c4fb74789c7201cba5abbd3524260f058c6a94077b7df0741d75cfa78dbe535e71f02caf6f93df283cfcd63997b4f8ec009c430cb9 |
C:\Mint97\optiaec.exe
| MD5 | 221444b530353587b439d699d10880b3 |
| SHA1 | c974b181fd6c5271c1f5724d7fa7b6d982bc4fcd |
| SHA256 | 2f7bde66310909f533475f79e953c4fd903295f9ccdc11fcf4f1108ed131812e |
| SHA512 | a2fd069c0343f5fde0b2675660ae1350a98894a6d3e52a4359ca2f4f49dbd3410356c462b4e0bb80ee116d64ce47e3daf1dadb7286ab9a3d0ab74d3d886ebfdc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 79e97bde734b9f66dab4cd5d794ce085 |
| SHA1 | 7fa015c7f1ab120a241eda2bc98566e883d08937 |
| SHA256 | ac21570ccc57cc1c02561dae3bf3e19a2ce8ff1d79d0f30b44a64e90cdb52b33 |
| SHA512 | e07d62e07fa6332c6fcaf101eb67595d7d2757f2498fd8bcbb8a9b84c8216fd69cc2f8e2a4111722d252bd762b1142a53182dd7dd68832b798c1ee1f7f505197 |
C:\Mint97\optiaec.exe
| MD5 | 1b916c50de9513bd35995ff6e69aef92 |
| SHA1 | 52937fef400b241d4a8b1ddd227652b7c677d4bb |
| SHA256 | 87b86902356dc8919842b25007d34f46886d02128a2a02cb251d67dde3bccbe0 |
| SHA512 | 7d45f793fac4540d35fd63f20caf5172cb11727e67a9016311072bbe1de9cbfac63ba2f8cb9bc93bb3b067ce7a65d0ee23b7d88fc199ffd6728e49343007d85e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:37
Reported
2024-06-03 05:40
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\UserDot3B\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot3B\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3M\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d5bef4d54045895d850aa9dace4b8d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\UserDot3B\devoptisys.exe
C:\UserDot3B\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 8d8e003fa13171c76b74ec7339b1a88e |
| SHA1 | 3b77137c255d504f24f5520778ac4d4ba5bb8316 |
| SHA256 | 097016cdccaaccf71c19df683284e1316e0bbc6000fb8c5c28b0cfe8fc15ca2d |
| SHA512 | f739e81c53b1ef64799f5a996b225cbc0ccbcb3d5dfc3732b0fbeb12f8257d807d05a5b19cd652bd43642c6039bd20d8ce7e5aea3388c9e0bd1b5bc8e271f64d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 759ad7502dfcdadb0a7ae95651a2cfa8 |
| SHA1 | f4eed248902e530ee5728dfa4f43c36f9cafcfd0 |
| SHA256 | 2264df95cda2239f03d81c4913d0066eee21f98c6c53224ecc0930ba402ddb4b |
| SHA512 | 2098315d270a1a954fcb00bac5b24b16265489f01952dc5e9cee56063d62eb4bd6e81cbb55ff67d1f0ad5dd052eead08d52d0a7011372e99d23356621b39e9ae |
C:\UserDot3B\devoptisys.exe
| MD5 | b4f549164a0dfcdea830ca6242bf11a8 |
| SHA1 | c6f29b0b5c51aebfa795ab854099eea4116243cc |
| SHA256 | 393cc5b32b1f19ae49fa2f8ff10f11f3c04188b3ddc0ae5c4e5d913f421e4443 |
| SHA512 | 22862576e22ae40e3ae18b7cba9b6bdee3e4136fde82d9c9adede975519be0f1bfca8a1cb0d537cc69bf186b965217f971da64461484af09d0f09edb6e6115de |
C:\UserDot3B\devoptisys.exe
| MD5 | 65d02d9a0cd832a893c22c6638b5fa0c |
| SHA1 | 588f7d1a087834fc5f60a952034d4a1dcb48717e |
| SHA256 | 01f0ef74225e31fb44420f4ed40114558b644abb052ea4216e11ffbfa9605778 |
| SHA512 | 5f4a8d36b35fd766034dcf8d5e1d44f6e9f38a5320cc4c4a5c2bf0569130ca051afc8d6b81a674923f62efbadf557c37416a1db3fc8abef9ce424d2283aa856e |
C:\Vid3M\boddevec.exe
| MD5 | a5d8b5cec4f3c4e601215c5abd56305c |
| SHA1 | 227b2dd09e8bfc09e219ea451620d1296f40759d |
| SHA256 | f14ba228a6ef748b6a3be68328dd3e88f7b1b665522da2a56059ae7dd2ce790a |
| SHA512 | 6e66127f5a8f4b026c8b6165787baf71b92e5b4294e1473e1a1a52f4efeb556b6780843c8d2dd0a6b8573e168d1aac683639e9b2f7c3c0f3f797d6ceeae4b98a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 31983a6538248a91baac3511ecd0d1ea |
| SHA1 | 14836ed3795af1c5f6273078f5bed513f56f337d |
| SHA256 | 15a789503c856ae734eb7037593b5e7c5b7521ee41af3bc86ae2d7ae3999dc9f |
| SHA512 | c0ffd87ebb759f1e944c7d7360133547d1b83b5c7c6da3dc3ad490f75c7286b2ebea235400f642de316e9578138bd12ee4269d55e320df4a695c8aca6f66e21e |
C:\Vid3M\boddevec.exe
| MD5 | ae8be8e2b1dab8adcb836a33cf6b9a61 |
| SHA1 | 515818c5f9405956f70943bb72ba90e9ba78e9be |
| SHA256 | 3f6a2116dae8cf70a291b708d7a433a4131aa97d54aa90c7e7c7a772133beee2 |
| SHA512 | 27e40b2e46154b9c2897e8399b1af317f88ca2e3ef7054a9448c2abdbf7f18785b448b4aee832cd94706b44c9e30fd97a6d1f85cb28c11b70a3e38f9b4c37676 |