Analysis Overview
SHA256
f952f671c2816a844d3117c9dceb81f3a4f06ad6060213186b2e002d816eef6a
Threat Level: Shows suspicious behavior
The file 9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:46
Reported
2024-06-03 05:48
Platform
win7-20240508-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotZI\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZI\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNK\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1284 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | C:\UserDotZI\devoptisys.exe |
| PID 1284 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | C:\UserDotZI\devoptisys.exe |
| PID 1284 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | C:\UserDotZI\devoptisys.exe |
| PID 1284 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | C:\UserDotZI\devoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe"
C:\UserDotZI\devoptisys.exe
C:\UserDotZI\devoptisys.exe
Network
Files
\UserDotZI\devoptisys.exe
| MD5 | 3ae04e76ce26f81254e6a9035b9f119e |
| SHA1 | b92007fc9cefafc7fcc9731036fee1c74f83db10 |
| SHA256 | e1c6c7bd16202194234860041804668e84ad795ae881149064218c0b47e89647 |
| SHA512 | 2282c86249beeca5f57e46d74710a19f49f0c633645d191e51beafc72325ff6ae9edf19be809c6a55585b8f160e5741534aefe5522e6dfcc6d61ff1594cd96e9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b261ed90489fe9136cb3b6545f6184c8 |
| SHA1 | 542d014bc7b6f37a2db23d25d3b53ece5e3356de |
| SHA256 | 4ed65002a162da8995b772e443d3ee34a7d6786768d93a618e29359533a6165b |
| SHA512 | aeb339b5e1e0e2eedb896baa4cad1080e93a56493cff3ccd3ff61b1a5e3928b387cc81669573d047192e000e6885262f27301f9573104d42bbcc3ad9ea529554 |
C:\MintNK\optiaec.exe
| MD5 | 97b6bf7954069df8faa3daa10c9956b9 |
| SHA1 | 0e4a40c293a67895aa3d1114c872b392d8f5b284 |
| SHA256 | c1126b10cb003f49f207d1f640c5160f3c0a0b780e9bd1bf0b38231ecdf0a352 |
| SHA512 | 35eed381baa055fda7328d480a87f836afa991ed4ce1452b26fe074dcaf49b31e43a6697fb42490d4522379efe2c8d54178cea623419f09ebff6bfbb9bfd5f58 |
C:\MintNK\optiaec.exe
| MD5 | ebaa9851cdea029694eb9e34176bc433 |
| SHA1 | 4d5c5237b0169e9ddf07e3b27823e7ec50e815f6 |
| SHA256 | 08a471848f2c612cf0c22283dc2d7ff389fb416d738c6d71088dbd1fbd7715b3 |
| SHA512 | 99726b1f7ae2b0b0de3df088bf6f28ef4c6d75465f996493815566cab6b39e60e2ebfd4a06e36c53533427871123d06b364ae40758661244a316507aa00d144a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:46
Reported
2024-06-03 05:48
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesRN\devdobloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRN\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTR\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1824 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | C:\FilesRN\devdobloc.exe |
| PID 1824 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | C:\FilesRN\devdobloc.exe |
| PID 1824 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe | C:\FilesRN\devdobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d90357819c55a222f7d7e05c7950ed0_NeikiAnalytics.exe"
C:\FilesRN\devdobloc.exe
C:\FilesRN\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\FilesRN\devdobloc.exe
| MD5 | f5ca3139047ee32660ea73d4a06aa27b |
| SHA1 | 3b76ff9722b6f7c5c90cd7dbfff3c33cf1b6e254 |
| SHA256 | 2dccda19cdc89dbee08540d554913e6ecac5719a1c37d114a80db8cc4efaf0e6 |
| SHA512 | 792e17deeaf75bb15b90337c0e46301539ff89ded19369746249cdb956702866f2139d92a5600a505423fb77749f403a61b31fd6e231c13f3506c447b0a535ef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 182f8688a0e9b8a66756333efa52940a |
| SHA1 | 2aaf655b8b2cfd3734f21ef3d54f79f794deb9a1 |
| SHA256 | 78df9786140fd7b7f9888f633e885819150d602f6bc660e51fa94331fc792a45 |
| SHA512 | 62668239ae51034cc3ef56dbd111c4258a5c49f700c241db0b2ca0da2cfa3536224018d6f2d5aff9d667dd617731d2e6d5341d5ce925305464b01a9a6991b21b |
C:\KaVBTR\boddevsys.exe
| MD5 | 9731fb39133ef214c1d477862f5ecf56 |
| SHA1 | 4fff39c0aeb4fe67608c1317dfb3bf111b782801 |
| SHA256 | eaa0a0870ea7b4ab35ec703b4d3bd656328ac7af8494833748e34b82d124b2de |
| SHA512 | c80c01678e5d62c30b25579c9e3bb006e40fd88ea9f24947e7b05fe34d584c1896611d5331d3a0ebfdf170519dc0edfa93ed24872309bcda9dc724a68f5dfeb9 |