Analysis Overview
SHA256
6b3736ddd8920a360ca169693dae337c54d2ac5bcc0070635cc9176daafecb8a
Threat Level: Shows suspicious behavior
The file 9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:56
Reported
2024-06-03 05:59
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\AdobeA6\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeA6\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR7\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\AdobeA6\devbodsys.exe
C:\AdobeA6\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | e94e8c05a99f48bc04232e2fa2c786a2 |
| SHA1 | 1f75a2d9140ee581ac80d1de26902c150d9ebffe |
| SHA256 | d938a1e1112bf7a320549adb171028832aee35635f2827d4b555f297f618f97e |
| SHA512 | 57c9427a61bfb1853c2258f4d3d1630bc769578be074497b19741970f707ea17d97fae479f10009a20450a8170a2d20a547f076fa7bb87692e933309fede8d4f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1fc54941a83364af8ba15048042decce |
| SHA1 | c3b5096177e4e3d733623c1f0028aaed6ebb60cc |
| SHA256 | 3c91b32d8cc8bf1f7bdd582f1aae98d9d464a64f5b9f05bf41ae9311695d3a2c |
| SHA512 | cbecd0e626a4297d2a214ed85dd6d9bd6a218bf06ba04267592fa9cac1fffedba37a77cf6a9cd554d9d3cabfccd8426c12b4a9227e4163e65988cffc8455cf9c |
C:\AdobeA6\devbodsys.exe
| MD5 | a2062eb24ea15b215249a234a388fae3 |
| SHA1 | 38b5ad8c2a568fdca6e8d60f057185eed5c8f09d |
| SHA256 | 95ae1836039d1f36c3a81efbdf8391661ae0833af1aeda7947588946fe5a1309 |
| SHA512 | 94980a475ad12119c090363e8bb10232425dc18202e25341b27403447b397aa274264246f80cce9ba51708fa3fcc511f55e0a5613c8ac1df1871ecb8bebda34f |
C:\VidR7\bodxloc.exe
| MD5 | 8892f3bd7f9d8f3ccf432ab6ebcc4c9c |
| SHA1 | f93a7a2f875f03cc92ac837a270e1666b9f67ed0 |
| SHA256 | f948e01bf1a8ebfff9e003cd7660c54a77d09db7e29428d481319f8570ba4847 |
| SHA512 | a4b01d4bf30a05b480dd103aabfe43ff81c6861e17b3a83c174748a41e853176d59f7cd509b582923fb4c7b9b62327de0635de7b20959861d9daecdb0f151cfa |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cff7c41b76f70a3ecfb816026985b981 |
| SHA1 | 1faf82c7eb161dc2a9b34950a9516a08e7f5c1f4 |
| SHA256 | 5f16b3db513963d46c971b6d11c15a37fbabba6a71404cc1ac5da2fa88b27afd |
| SHA512 | 1d5390546883492a3dc0be859e615b475648a52ebd104be47a0c61a06c0a36b83c19723ba9c30c03a295748d044a951447fcb8802d48ce85e22d679893407bd4 |
C:\VidR7\bodxloc.exe
| MD5 | 64238440308260991905e35314006087 |
| SHA1 | 8bcf5f8b516f0c965d34572ba5ce5e7955f75046 |
| SHA256 | 540bcf2dfef3f86ea4672f024da2eb4d9e675b6e5f71d7ed771a8ce8a76b1e7f |
| SHA512 | 07dd4f3bcf5f83264596e77f9712b0990edc8b4c0ab45c5897585b9f26704fd9a80b71228719555c60b745829ab53af9941cbfafb1a25acf8883c72f308cac77 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:56
Reported
2024-06-03 05:59
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\FilesB1\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesB1\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAO\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9dd3ca273184d762aa13d168e9cba520_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\FilesB1\devdobloc.exe
C:\FilesB1\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | ec97e67b11f1b7ad244b40b6ccfef366 |
| SHA1 | aff26c22f44fb868ee29d0e78d0bb670a6f971eb |
| SHA256 | 8337a778fd9dc0060dcbd4819a646148d9fc32ed76857a7718318cff335ce997 |
| SHA512 | d5042ed7692d23eaadc202b5ca1106b40576ddaba652ed958499d7ac5957371944f7ebf07a9d5ab0e1a74c68f1b7838c55a4771a8f86501348ad2090101cea90 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 25246eb76a421996cef010aefe8d6b04 |
| SHA1 | 445795c0a9d8f4337fafea6cf45a63f284762f7b |
| SHA256 | db7137fe86189f8beea5737530e5b160c6a820cb0693035712214a60f449d32a |
| SHA512 | 2d8980d475fd8421356d6518197fa0f7e7674f6a62359a977269b591da3de45d592c39229b69e270914f63d52506b8796d815f5dd885a28fbdb2380794cae3bc |
C:\FilesB1\devdobloc.exe
| MD5 | 4cb9c50ad0c4d04ebd9b6b386e28d0ad |
| SHA1 | 044ebdf2bfa073d4894fd7fa37f4c09489656fc8 |
| SHA256 | 54ef314745a570345b2cd7a1d7a0e9b5c14ccfa436761e7a0028ef152e7c9c6b |
| SHA512 | 0bfc86f765bc152b3e15e0e5feff513b94b676988a865be3a3bdf13b447e5d65e11d2ba96ebeaf73411eb6632c1a8dbc36a382e0da5325cbb59bf6cbca757416 |
C:\LabZAO\optixec.exe
| MD5 | 460bf8093425aeb3bad832a66205141a |
| SHA1 | 989cf2f3d9b04c8c84552b181587841ffc483d1a |
| SHA256 | 9b388009a7e464b255b84f81b76f16e99cb3f2d703e63725b3c7bfcd4fb67c72 |
| SHA512 | ce90c5dd171348018d01508d7c066df0e9a9596f638eba4c96dc36f47740576058e7ee1a1f9dc598571614ef216d4f1277f41b548038b56cf737c5dfdcf95043 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0b66d6b9d7932d03bf711198621beede |
| SHA1 | 7efef39fefbb66872eb01775f6dfe288a3f31af4 |
| SHA256 | 220c15a06faa65941efee62830b0f45ca10a3d21ddd610ac8a3382da0d35d101 |
| SHA512 | d2152e84d7d8ce6d4fd8814e700da201eb4c2bdd88a93dceb86e209b88feb8a33f9479062fd37a22519f7569dec1f3c99993e4a19a3bae9b5745fb3790c47430 |
C:\LabZAO\optixec.exe
| MD5 | aba5aba4a60afdde69a0775e66a87f09 |
| SHA1 | 29feec5878705d692062f3cfcb764583772f9849 |
| SHA256 | 0e8f4929c3f71c4886428bb168cece85784f7504a4078c7c98f34d8ae45510af |
| SHA512 | d49e42182a4a674f1869e127d50836abcd120c16d8d1ffc8571cf8ab169e06867fb3f39cc1b93f63dd2dd4183bd5c33b63e56d87a9ea51ce43966b6178640c72 |