Analysis Overview
SHA256
278dd962ca8b275cba9188bbd6c172649bd61dafcc30a8fc0f8ba28203116b28
Threat Level: Shows suspicious behavior
The file 9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:48
Reported
2024-06-03 05:51
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvKC\aoptiloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKC\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYY\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3268 wrote to memory of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | C:\SysDrvKC\aoptiloc.exe |
| PID 3268 wrote to memory of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | C:\SysDrvKC\aoptiloc.exe |
| PID 3268 wrote to memory of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | C:\SysDrvKC\aoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe"
C:\SysDrvKC\aoptiloc.exe
C:\SysDrvKC\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
C:\SysDrvKC\aoptiloc.exe
| MD5 | d3dcee83a181af356a9cb333f692eeaf |
| SHA1 | 49f6475ebf039ab472d76d848bd3d953fd366be7 |
| SHA256 | be6ff7d9ba5772371fe654c4aebc73c0390adf209646f8f02978a8d3f5efecf7 |
| SHA512 | 25c8632afa4510528e5ebf711e0d4232e81710b8c9a316084b186f7f5b4625ab19060efd6483fbf2878950863dc22c4d23698c5e1287f8591be8e90d6dc047f2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 986169dca70fc7f2e7c3ea2e9db7aa14 |
| SHA1 | a0e76267fd6c06e1a44d0d2185299b57239a0db4 |
| SHA256 | 3d57c9ce2224c5f4d53f56104b0c605ba8558b01da38ca040014ad5d4a11a29a |
| SHA512 | 1b2fb189a235b781342fc013480945f143a4ba63c4332a2e2e1ff29eabf2c5f5b33793ab93af6e83a7f171abd8fe89e190fa3999e941ca284605145d59ce7d9d |
C:\LabZYY\dobasys.exe
| MD5 | a5768caadfbae78cc5618ed5e15db7fe |
| SHA1 | 0ada192d1f0fcb46516aa53de0baf40cdeb304db |
| SHA256 | d444520f6d1a6268c2eb118c1be588bc7835908b76138b6f668a2ca37832547f |
| SHA512 | d798a182677dd21ddd0dc391811296d61553103018225ed27b1ca0d21ad3289529bd3fa72f9c53609f08e04e727c73e8f9495bc201f700d09519c8c1377da9dd |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:48
Reported
2024-06-03 05:51
Platform
win7-20240419-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Adobe96\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNS\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe96\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2032 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | C:\Adobe96\devdobsys.exe |
| PID 2032 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | C:\Adobe96\devdobsys.exe |
| PID 2032 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | C:\Adobe96\devdobsys.exe |
| PID 2032 wrote to memory of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe | C:\Adobe96\devdobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d9f169e48112e14e9baf45ae8bc4fc0_NeikiAnalytics.exe"
C:\Adobe96\devdobsys.exe
C:\Adobe96\devdobsys.exe
Network
Files
\Adobe96\devdobsys.exe
| MD5 | 18968b053e1cf8aa41fda8e55470d7e4 |
| SHA1 | b0236b2bf4396c66dff1ffc7fdabf132568a51a0 |
| SHA256 | cc7e394e539693be0626b339daff11fa4ceb952a273a883919dfbb49513dbb06 |
| SHA512 | 0a2266e5cf0b9977d02dcc4e19466fade99b74948fe995cc2c4213bf7211db365747eaa3a4d9b2e47bffceeba62f098e7e041a294bf0ec84c8461dde5bd9e7a5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5a7183b5c77b4aa21a4d584f2077cd11 |
| SHA1 | 57706790b00f3cff6cc4389b8d16c7889af14699 |
| SHA256 | e7d64cf63df0dead8c1825e80e1ae87b3034ec468f812228d6daa252c148fcb0 |
| SHA512 | a902593178779ab60e31c50cdbd4ac2ffdce7b54f928bdda0caa1c381f514af1a951acaf45d0b545ada59b21ca415a56e1927bb065e23bd0de2d90079017e793 |
C:\MintNS\dobxec.exe
| MD5 | 6fea80d79c3fd5dcc51cddcce6b651d7 |
| SHA1 | acff2c5dc544dd76cb8ce0d17d099e3fee888199 |
| SHA256 | 8f42572653acb1df57c40df25568e45b180c8930320902647653d10ac342da95 |
| SHA512 | 6ce151a39d1b7d7083cb9e5e49ffebace9410ae21c1c19cd078992562adb15c5f7f30d833fad70a96e123bac10a6baf92fee4d7c936b0d8af37e12fe665cc706 |