Analysis Overview
SHA256
e8f735c51e402385a635077e177f01511416950c615616aafa7b54b4210d511c
Threat Level: Shows suspicious behavior
The file 9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:58
Reported
2024-06-03 06:00
Platform
win7-20240221-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotLR\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidP8\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLR\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | C:\UserDotLR\aoptisys.exe |
| PID 1936 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | C:\UserDotLR\aoptisys.exe |
| PID 1936 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | C:\UserDotLR\aoptisys.exe |
| PID 1936 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | C:\UserDotLR\aoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe"
C:\UserDotLR\aoptisys.exe
C:\UserDotLR\aoptisys.exe
Network
Files
\UserDotLR\aoptisys.exe
| MD5 | 465dc71b647a57d44906942c71dbdf8f |
| SHA1 | 6acf6395fe0a226c5cc67b93ae3b9d7969fe2636 |
| SHA256 | bdf3fdf2f85c530c77b0e779455db8449b951812f6bcd30f1ef846e5ddf31d66 |
| SHA512 | c5744c4843fc6563650b5e8d2a024a18c48fd1b915496e89edb4a051b34c930bff297f61de989b4bb908de65dc316ce975ce6894744c846a8cf7bcaca10459dd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 330b91e8ac6023be1be69d43272f79be |
| SHA1 | 5cf3fc0e2d90c0d4f4778083540150f43376e149 |
| SHA256 | 6d64b6ba90c3414f277b56916bbb14c6a1f7ba50bc23ad56742fadc5ca5387a2 |
| SHA512 | 24377596aa9f0e55b3aaf2d2ef9cc533be16b9b5679f66810b065437abae5beb4d2f7ccb9fbcb84d5485f48df4cb628796b78cbc208e075dd7c4d580685a3244 |
C:\VidP8\bodxloc.exe
| MD5 | 497adec309cf7ecde084c02af88c77c4 |
| SHA1 | 2116a4c49a05ee9256e758baea79f94546405f36 |
| SHA256 | 6b02f5518b7537f979a208e1f95b6d45e5ebfdc6046d2e33f2ef4091264d9c08 |
| SHA512 | b71ea5b4e54dedc6fde26a07bff75955b1e6b6684f3293f7f64d9c3e1030122edc45a47164f8683e8354abf70c7b3a8f8dc34ec145eaa3289371b761e2a8f531 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:58
Reported
2024-06-03 06:00
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotF0\devoptisys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotF0\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidKD\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4628 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | C:\UserDotF0\devoptisys.exe |
| PID 4628 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | C:\UserDotF0\devoptisys.exe |
| PID 4628 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe | C:\UserDotF0\devoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9dd9681e3ede19c3f5aff221213f7410_NeikiAnalytics.exe"
C:\UserDotF0\devoptisys.exe
C:\UserDotF0\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\UserDotF0\devoptisys.exe
| MD5 | 5278aa57391666585613945ca33e6ef9 |
| SHA1 | 475a860129797f2d94a1521f9c0b665398bae970 |
| SHA256 | 4a1707d69689f70d87c939671428b176e8926f1fae69542bb2feca267f134ebf |
| SHA512 | ff3dfc00ba1aa4bb637dd35738fef79e993219c725c43fff5c60f08959740fb709fda4a9195f897f35310ee42db0f565751deddea0e87caf7a96914c40eb4a85 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 242ede2d1b1d823041d76f18e74efd4e |
| SHA1 | 3065155d5a9dc3af34419570cb1b3095c02237d9 |
| SHA256 | d7fc0574c50373a37f2ad2569c1a21a283efdc5df6434a3d8a89129ff78a8051 |
| SHA512 | 538f8abc2d553fd1f1e7dd42db4b55e25bb8028a892547499e861df4b0b8ccce90380319caf8d11115a32dde3cfd9a8c67b44d65f93df83393f046d570f9dfc1 |
C:\VidKD\optiaec.exe
| MD5 | 7984efcbebb444da612c9a17abbc4e5d |
| SHA1 | 4b4a120d7fbaa90f543072344d8d8b2ddec9bdac |
| SHA256 | 03d0d33c2c591216b8e31dec7846afa3e62063d2ecb49973580e42fe43b4d0fc |
| SHA512 | 5add5fca88ea7e8c4da28186a5d3d94820c4d1ff6efe2e9eff88bc88c6c7a9b511f3beb9b0d8867db493e55496a0e8a6e0b6a69e7515eaafd56b2dae186d1fad |