Analysis Overview
SHA256
828889525bae15f4cfc55b4cdd6486d1fb3427f54d1f097104d098c77275fa8b
Threat Level: Shows suspicious behavior
The file 9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:32
Reported
2024-06-03 06:34
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\SysDrvD3\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvD3\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAF\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\SysDrvD3\devoptiloc.exe
C:\SysDrvD3\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 1825606ac2af6e3575b16c60ae30b4ed |
| SHA1 | 6c0a75e5ec022ae658667aa9d2091f2cc9a0648a |
| SHA256 | e9c644667f619a714aec1121c18961e02046d8ab781357bbecfc6967d23f986e |
| SHA512 | ac9d11553e02a13996aee9b2b0d77da5bb22f8849aee95f03a19f89cecc69ca0c3f10dbf318cdf0817438babb053404437f35a77d2085792d420385f068d66ec |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9c4fd94761088ff14a84ff9bf11e8d79 |
| SHA1 | 4637463e4dfa9c8dfc735b89002454c1ef588250 |
| SHA256 | af91878a960c58f0577d7c13f3aea21bbed3a2bbf86e08101eb56bbb2194f164 |
| SHA512 | bae7c541097ce635fa992257166002e87e1dd32139b4c53d77e65b5b279366ea05c84c200ea9d148f7d31a1a2b02f2a2084af23234759e1ccad385aded072e0a |
C:\SysDrvD3\devoptiloc.exe
| MD5 | b1ba2238b13591cdeed1ea574df8a4a8 |
| SHA1 | 2feb5485e5ec2c6d9aa9c453f8e674740436b4d0 |
| SHA256 | 4bad9ed26f2f59b444a6a2fba389ed84eece9382e470b980a39b15f76184f7fd |
| SHA512 | dc554ff7e553addea9fbbd2efb00af4577583043908982df1d47d88f013fb486f29fe7bd4da72357e9bcfe8ea5eeb0c9eedc4a75265c66634bd17c7fc92aedca |
C:\SysDrvD3\devoptiloc.exe
| MD5 | c2326ac7703febde6eb54f1d4ae79806 |
| SHA1 | 23ecff38ed8b8b920d926414126185eda01dc833 |
| SHA256 | 68846d60a581ca01574fb786c114cdcc4591d3f949f518d418f1d74ea290dd63 |
| SHA512 | 66d4a68a2fe91e6a634c6f424112e3a493118290a508992d5e1a4e423abbd38d2e436daabc032ce661e6395a1d1a68035911278acd30b3d8b242f365872dd95c |
C:\GalaxAF\optidevec.exe
| MD5 | 4f9edcaff24c8fb4708100816824034c |
| SHA1 | f70288e9da6019968a75f6ff5ac60c36b643df7c |
| SHA256 | ef6f580a803ab0a470fc3da0638bb1f8bdbe41d82cc7fc5c59e0559cdf9899db |
| SHA512 | 56b168d3ec6556429c57608500179e24ff11f812d4ae64d93f64910512fca120e73825852efe0d7de33857b684c97468456a26c19e97ce278efadebcc6b3b49f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5912ebc84094d754e6dd42680cbb6a59 |
| SHA1 | dc953836884add45384bd8ff98d6eceecca01dea |
| SHA256 | 041fe29e740fbd078e72fe2cf64399746b62884a6c3751dcdec14370f86f0c93 |
| SHA512 | 850c18cebfedcfffd543256e1df8243c6fcf13a71dfdbded8cfd8d1489af3c752789226865344778bd8986b0836e19417b0c2dcdccc5191b7ce2795a39d1b308 |
C:\GalaxAF\optidevec.exe
| MD5 | 9c6b31e46d9ce7531ef12f2b12bdab0f |
| SHA1 | 7b8151ccdff3e526018012c0b1eb6818a51cd306 |
| SHA256 | e8a4042d9e88e9437cc9ef2283d737fc4220bc8768bc05ad1cc54ea0c9eaad4b |
| SHA512 | 45e457eceb8fce47a5df37b06b8640054f29400d995f5064c6cda9c194a64ea353d0d18f97f05608623f5acba9556a20d89bc337cf5b26313c7552233d055868 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:32
Reported
2024-06-03 06:34
Platform
win7-20240221-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\FilesZ0\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ0\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGC\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ec468f6e30651cf3871122f17cf3ee0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\FilesZ0\devbodec.exe
C:\FilesZ0\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | be00fa933c184ac7008a2c1a437e47ed |
| SHA1 | 96d1f3394eab41f52201544774c5306ca6f6369d |
| SHA256 | da8ee6f293e683fa4e7e8963c16bf52d268fda710e3dee5cf49ac7a42ee949ee |
| SHA512 | 4c93201a26809427cdd7002c0bb48a0f0caf302940fa978d8ef5f2f9850e8ad5a4a6cb548c6dc43af1d6992ff23ac1947d7f188f10ed6926b8cc83cfdfb4624a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2666c80c2c6482fbb183622b506265cf |
| SHA1 | 6232046f8be27cdc613c3bd224ae0960ca5f5257 |
| SHA256 | f21797ce54d10f878aeef6ed48cca297acd18a051b68c3d89bd9c12e0abeba29 |
| SHA512 | 67be2a23d83e32dcaf576e4c666e73870bb212c0564c1d6ce5b564c1c311cbf4ed409f35dc0ad0dd7ee8f9b52cdc651bf4910703105a0579db164813f768a0e0 |
C:\FilesZ0\devbodec.exe
| MD5 | aba037d7571382c3ddd38cd816125e1b |
| SHA1 | bb07e972d3298eaa4e2ee2d5ea2995c9d00b267c |
| SHA256 | 29afa2d7f8111a9935a6fd79dc4c4a7d52e9205eed3a98003c1f90c9f03da20e |
| SHA512 | a2740a4ed6c591dd17cc6bdfd4b826215712fbf7f87eff4207233872fdcb5b88b92a3f6a2abe0a60f69df8efb4afbc7a113b213e3a6b18fd327ce3dbd228acb0 |
C:\KaVBGC\dobdevec.exe
| MD5 | 9f367a2b1ae201027cc101b31752bd38 |
| SHA1 | f0ee2775ae4eefb3f7b95e54a04125c751cd7882 |
| SHA256 | b98ccfcc517bd7cd3158f6972466f3739cc8c08a10bf045c23cdade2c97b0faa |
| SHA512 | 18e286618ecc3e357d077d27c0139fcdb5aeec872e49c4b1c2ecfaf68df197bd32905cde0f669f00de0268a723de8f414c7f67a895cb465485ea46a02cba5a12 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5c2092d49de7483bd544091489c714ab |
| SHA1 | 307d2d9c4bbecc02cf3438da41dfb293c164dcaf |
| SHA256 | 8d0e433cabe6a560e2d726403a194c3a3911226bc86ceeac07bdd6f7e70423a2 |
| SHA512 | 6f9309e18bb16755df85d0016b201a3e215a29ad5067bf26184af3a8a1c9d6555fce658e93e44d2259782cc4e68e67c6297036dcae5053108fce6b35b3d695e6 |
C:\KaVBGC\dobdevec.exe
| MD5 | cabf4b7018e0a7079cc10c151799ffe0 |
| SHA1 | 5c85ffad5c8b2b95ab6c0fc236680ea227dd2047 |
| SHA256 | 0a5ec9d166fd95268142589ec13476d8b232ae1ef75d7f85c05d7cc506ccfa83 |
| SHA512 | 7a1dd894dce260ec40d138feaa1c5af77a2ef8b1055149a100b026e9513f9eeac5a63dcf581e03f2ac3cc747a9c54b8f4c9e06cde8af6e50d1b3de61ecdd3352 |