Analysis Overview
SHA256
2472c887a9fd7c919c21cca11987acd7b2fd3712a45a38636dab2d965a42535b
Threat Level: Shows suspicious behavior
The file 9de66806a08814053a049540038ab220_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:59
Reported
2024-06-03 06:02
Platform
win7-20240221-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDot7R\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7R\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKK\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2776 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | C:\UserDot7R\aoptiloc.exe |
| PID 2776 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | C:\UserDot7R\aoptiloc.exe |
| PID 2776 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | C:\UserDot7R\aoptiloc.exe |
| PID 2776 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | C:\UserDot7R\aoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe"
C:\UserDot7R\aoptiloc.exe
C:\UserDot7R\aoptiloc.exe
Network
Files
\UserDot7R\aoptiloc.exe
| MD5 | 54acc95e6978b100e507cadc0e18a751 |
| SHA1 | 06ee0113648d2445de2bbf25222ab502b5d5dabd |
| SHA256 | 38d2362bfae1ecc3d1076cabba26aaf046651e49deb2a46c66b012d7d6406094 |
| SHA512 | dcc1af61f9bd66e46a68c49c1fa7d8af2592ae270fbcb61e8e1b78d3239c24b3832811dbe0c256a546b4b6fcd18ff2c62b990c0ea8f665f05b66fc43330bb1c0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e0fec2f9fafa0fa8a68271ec8d0c2c97 |
| SHA1 | f9cc5941fba5a4235b234d310515caf219569264 |
| SHA256 | c88fef58323277a721421b1ce42cb6f08e49e460a57b552031c54fec6c4d65fe |
| SHA512 | b2f95d287a7136fb54a0c39df6f926b770441912364c0171cef9747b3badd9ba19aa4f6708feaef0a2e5b37fc7808dec5c6f79ff132b8c75e27be42f7def983b |
C:\GalaxKK\bodasys.exe
| MD5 | 66b40ffe3c1aacc80f18a24284526750 |
| SHA1 | 97bd1a74000f697a11878b7a99e83d59ddfdada8 |
| SHA256 | 6295178a4a47d0040d9bfa1f61efbf3831e826390f80478829699b2f5d62dcdf |
| SHA512 | f83859535c52a9a6f13a176769ce9819a755e441928154e1024855a83082a4aa4a45d21ea51ddce87a60669316f77925dba01611f73505a06caf13311caab2f8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:59
Reported
2024-06-03 06:02
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesG0\devoptisys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesG0\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYD\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3124 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | C:\FilesG0\devoptisys.exe |
| PID 3124 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | C:\FilesG0\devoptisys.exe |
| PID 3124 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe | C:\FilesG0\devoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9de66806a08814053a049540038ab220_NeikiAnalytics.exe"
C:\FilesG0\devoptisys.exe
C:\FilesG0\devoptisys.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3888,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
C:\FilesG0\devoptisys.exe
| MD5 | 3889ded608e579ef8736e4331d29d208 |
| SHA1 | 1322e372f0eb29a353924fcb1e048c2e87e4329c |
| SHA256 | bf45676cb72c123d6a8566e425cbdc96c9b782ea6667c97181694301fc21d5e4 |
| SHA512 | 7af466a067ecf0beebcf50a55c30618af4462bcd4a3e68a61858a80eb14056f450dbf24ec2b35098fb27e3428f5b22feb0400849f69c88427e613d5755b250bf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6a39e1f9b02bf82e341b76c80da38573 |
| SHA1 | f8d9023f1ed4671f498dc1371861ce2d28a84ed9 |
| SHA256 | d48fd12011ec0189f334a77292d48c8d4cf56050d6eba40d4c3092c6a4eab7d5 |
| SHA512 | 3deb8239d80690b0d749283aa7a4ba1fe3a2753478cfc05d3c73c6a0647a2f9269c8d54e0383a74449d195848ec2f78e7c7460fb456744836c3f1566940fdc23 |
C:\GalaxYD\dobxloc.exe
| MD5 | ba963fadc43631b0969f493f3afb812a |
| SHA1 | 7e08ef85043082f85f5d6025d0a17f07ef66e01f |
| SHA256 | 16490270bc975a08a3e7cc903f273d2f8e0fafe9755709c02615795742521b25 |
| SHA512 | f4ee7886f8155d66c0ff69820f85034cda3364585f8b4acaa7684ec1d0ded310f29579fe2b04b136ee3122c9dbaccf927dcb9e5cb61538ea55b696b3e3ac06a4 |