Analysis Overview
SHA256
ff13de3e5283a442a940c19106d2971e33823fbb21f43ba8c51e90631dc69441
Threat Level: Shows suspicious behavior
The file 9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:03
Reported
2024-06-03 06:05
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\Adobe0K\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0K\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX1\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\Adobe0K\adobloc.exe
C:\Adobe0K\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 9828f57af8bf0b6de16c6b685d7b3117 |
| SHA1 | 550d50b8ae2e32bf12f5b79939ca69cb75c007a3 |
| SHA256 | f55e7ee5866d92c713d6c508906d1eadc2fee3b19a77470ce2bca601485bd7c8 |
| SHA512 | 06db2dc0602bdc9f3b75794cf78acb5579b23bbb943c8a825689517b51167d275133d0b2bf7519949faf1ecb07fd0796f71af2d1438ba0466cd8c2cbb9ba7d08 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 99f476fdc05604a6586b041bc494fc2b |
| SHA1 | 8582d503626f5d70c21410677cd3c492f3490059 |
| SHA256 | bfe99853f31daa71e5cd5a9ee66f225e6e041ec9db14130c17f02b48522a36e9 |
| SHA512 | dcccbae963e4259d7f0b126c14a792e96071d0d256f2eb77e4b3a43e8712230101fb173abeeac0dcbb6e85a620c57a3fb3f7ebc83a7304dee47ef548fb48b450 |
C:\Adobe0K\adobloc.exe
| MD5 | 8b27ea7e0f5cf2225359b79cafcc30b2 |
| SHA1 | 3fa3364a747cbb0de974289bf84d7ece68a9785e |
| SHA256 | da167e9639f489a29579c93275a86e6ba9acbd46490df8b26a4e57eb8ae19b21 |
| SHA512 | 1d433be2faf024270c2d98f3230da630979b459f6c3d18682ff02e4b2df11ba8186866494dd4d02a829adbf36bc3e88f484fcae0e33a5b4a237d978313818122 |
C:\MintX1\dobdevec.exe
| MD5 | c88c42aa321fd65bcf2e5e1b98aad0f1 |
| SHA1 | 36afe3c393c6268933df8b12ccf42d28b530dfa0 |
| SHA256 | 9122750b78fb8b0e14916976fa9dd08a8abea31aff613897c9c1c61ad2135402 |
| SHA512 | 64b4eab8fe93cf2fdfe4f6e3744726e50b2723d680d6129b6a343d05a14073c3044ee353924f7eea5fcb1882d53233a67f6c1e8dcb7670d00800742c6d12a0ad |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cbf8645bd86ba09bac69ab11d67b68b3 |
| SHA1 | a4deb3adae71e9c19711e99628ff0b096fa3ea29 |
| SHA256 | 79935029b87399bfd18d65c53a91c8ffe02cc636aeb8ff13d4043c4bf9b010cc |
| SHA512 | c6dfbc2fd6c97eb76f2cabd70799d81386e5ec79904c36036a20cd4dc06d0e216b29c03e43f6c3e58a9677e3d176e5ebae8c60b3f8b580fc36714839f4cb538a |
C:\MintX1\dobdevec.exe
| MD5 | 8dc4d9694c17621720c320e82829dbd9 |
| SHA1 | a9ac9ea870162fc6dc14d43c98824d48c29ec74c |
| SHA256 | 73310f0dab90499fcda3b7fc967815f59418fd9a16eb2c5fdae380da74753d78 |
| SHA512 | bc76ddbcf70495f591f732f5a318f0de053184a7f9a94a2200be2db198ca084994c595437e721fa7d00df285a550501c22df2af8f77fd72840210ccca0fc8b3b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:03
Reported
2024-06-03 06:05
Platform
win7-20240508-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\FilesX2\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesX2\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIH\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9df50683c2a2273f207f209e2fb95c60_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\FilesX2\xbodec.exe
C:\FilesX2\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 0f64cbe970b5f0733347837d3d21c7d3 |
| SHA1 | 2a6ab16d63224031a8f640956def624b893352d9 |
| SHA256 | 43902ee14ad2c8ed4789d7e2bcdfc37af084d8a1d2462b0b1aac7e5959e81784 |
| SHA512 | b817d6643d0130433571a06668c4b0d114c6b25a351f0f3b3e54aa481a7b94ccfb5d60551c150c93de83156f5951bb6321d619dfc94d8b8e35708861b988bc41 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 22885dd01486d1dea91a2ab413d91cf6 |
| SHA1 | 4d5ee97debb4b700312fa07be9f8abdad9e86528 |
| SHA256 | 19e744b043e8ffc4c0469829cefda2bf1a76cb33d9045b72367f2015d3c67ac9 |
| SHA512 | a31d89f632b2df7ca0dd557d58892bce5eff63cddae20c587a200ecb7d434ab5973c55c1d1c3791b54c48ee67b703a75db59f2849003219de92b50ec1ff55623 |
C:\FilesX2\xbodec.exe
| MD5 | 502655e0df7406533eab4930dc7a10f9 |
| SHA1 | 5ef55962d6172a36c0e4706acb9e9457a86c4a02 |
| SHA256 | 237e073793441c3fdd90bba5a7e76274a2ded9ca47290bd65b09b78c7fef5f51 |
| SHA512 | 1264667fa3f600b1421628e50bd23ee58115d079dfb687f4c2f877994bf7be83d7c60895f88c49eb9811b1bf987e2f74455616632ad728abeabba4106b7647f7 |
C:\VidIH\optixec.exe
| MD5 | e83397a816d65de1251e795e53d6d802 |
| SHA1 | 0321c742c4bfaa396f87ef921968333a0d27da01 |
| SHA256 | d7d28c7cc37d4afec52e9fb5152855e8aaefc4b26e8cb439ba15a6e12d47ef6a |
| SHA512 | f8911d52675c9fa9b707190a1de361806f0e31a8823ca70a2fa6865eb8ada70a0b617c10116e10d87cecd89c7c74b6efc8b3acc21d562769dcfdbd8299bdb826 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9c218ed8f55ab016c5b37e1fcd495693 |
| SHA1 | c71aa3b792dbd4e2cf2497081441e0d0eab108ff |
| SHA256 | a7daea5640684aff66b75e9be684204c90cd1b45e8220be7c82f71792850ece9 |
| SHA512 | 59e603d2309c812ade9cf5d05490035e52a991aeb594da232b2481f2e2bdb5bd043926345791f8255e7d3a3cf15d5887278177d047f9083ac17692606cf30f31 |
C:\VidIH\optixec.exe
| MD5 | aa544eea511666eefa96cdeb231dfa47 |
| SHA1 | 44fe8e24194b9ce5e1019e79ffdc913a0f97f8f2 |
| SHA256 | 1b181e28a77a70b879e0187fdaebe691d14e7d57f692181b64da260091ce7fba |
| SHA512 | 76e98812525ca952a02a0e0a8fa0d22c0ba4a1152dd1c92bbdb5a6a6c9eea8b5ba1a9a5023d5c5fcd3b8fceaa678bb9ba556e4bb43afa627f32ba6222280dc4e |