Analysis Overview
SHA256
555cf9c250546debf512f3f631c6240c74444c521bcf978492560ebe1a56c7da
Threat Level: Shows suspicious behavior
The file 9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:42
Reported
2024-06-03 06:44
Platform
win7-20240508-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Files5O\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files5O\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDM\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Files5O\xoptiec.exe
C:\Files5O\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 483c2b46a08d51ae80fd4f5676353ac7 |
| SHA1 | 614a0a06988381c254d4f26a9693692996e080e2 |
| SHA256 | ea34f903d4809f12be02e25eff20ba814eee366455ccf48ebcc4619391b965ee |
| SHA512 | 1fbd43cd56975f221d4a8991dacc7aa130e5d2b4259e9619a2bf709f432a5650d90db6fad173213d786fda2fff40c74ab488fe86c03cd95b4eb114f814cb3460 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 98c0fa28739e9ca2f4a6cf8b39be2dba |
| SHA1 | 4c822faa67df81862cdd25fb17bc1c2a87831f80 |
| SHA256 | 8012405733882b6027f50fa2e3e2d3d8baf4752cd7243ad5e050995b54260e4c |
| SHA512 | bdf902a3ffce025aa78f77b5bf44b9794aa06c9c440ab06fd9e6ed6dd370fe54be4c3ebc2dd2a391a56e1215975b3c5557c8d4be9803fe32d4d4c0be8662c0d9 |
C:\Files5O\xoptiec.exe
| MD5 | 17c8706f007a00ce2428328b3314bb7f |
| SHA1 | b18effadb5c22e4078b1916ee2dee057a2aa8ee1 |
| SHA256 | 5699c56fe42858545c35cc2af286c4b57de243d1820c761d0659fd189b95c0e4 |
| SHA512 | beaf1548f057a01c0b5f293d800f68e9bdf04e9355ed6fa6c43fb13aa2409d4e987c425c06946acfd26cd7b2fd6e9b8aa61c725374e919cb49c52f9644df66d5 |
C:\VidDM\optixec.exe
| MD5 | 7140b7bb7030b73dd1f28c56bb6ade11 |
| SHA1 | 2de9bf278b61eaef501bfc810ac4339e9bc76ccd |
| SHA256 | 92e5252c11dcdb4e00de2f790726ce1c5232296509c6775f7567ae818f794421 |
| SHA512 | 4f1040116667e1eb42513161b1c7ae92572d58fe2769e1de7a57693ae3bfc6e58756fd6b83ccd27b1f5800814fdff6c22e7e7e4a691312ecb3a85e3f1b665698 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 43d923894d47412ad95845daef951271 |
| SHA1 | 867420c9c054f4cd61a6eabccdd1d4a29cc26bc7 |
| SHA256 | 50f9a4cdc7feb7ada022d79dbc27fd60f17e886acc94e8f23a37fbcb57f258fa |
| SHA512 | 6ecb4cf85f7d0f6ed3a506bbaee855dd6a5d24867d7df23b039ea73c9cab730269436c3b0dfa0b56da2e647650430302f6c22e36ff08e648c7d99dd078245aa1 |
C:\VidDM\optixec.exe
| MD5 | 3741e21c1bdd8dc50e280a5a211e1ab6 |
| SHA1 | 2f79b0b884b5bfc74026e134daa1d18bc8d9b3c3 |
| SHA256 | 90f23ddae123d03a382f6bca3f65714393c8a5fad005034a676a4eda76e887c5 |
| SHA512 | 710f0d50feccc78d7c05770fe885a9314ddd0d5f6312a38e5433d3ca249d999bf49778d657401a01dd8f9e20f180b1375915ccce2e36290c53ec850f587d7f57 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:42
Reported
2024-06-03 06:44
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\Intelproc6D\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6D\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIY\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f1762f44af994828c6290ce8ed33520_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\Intelproc6D\abodsys.exe
C:\Intelproc6D\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 491e44560e494fac8c07dbd6bb0c4f55 |
| SHA1 | f428cb266743ac49e7c15991e5572d5e57caa0c8 |
| SHA256 | 911cb287b30ba839032093ddbd33249d2ea8d7f49c38d9e9b16082c359c0a296 |
| SHA512 | 73af62bbfbb605aedf00a2d0fb7eab6321fe5dd1af62f68a65fb5e2ef29f6dd4e621061c5fe58193ecb9bd383ddd8745a92b9843d5b83a0db6304bc0f029f7d5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d8607f207854327cfd1ebed252a31c8f |
| SHA1 | 0b01bf8f81a00bcaaebc81d01f70b00fbb8f6a8d |
| SHA256 | 9dc7eb0ee91251ef6b8b2fb9e41d76bebb11d80b0518afc3091760dec6d97833 |
| SHA512 | 3aad07f5c8c76206c73f1f51686eecd20d919287eaac71d5ad8784410b216ac50829b86c47aefcc9d39f51d5b7910687d5d53b5adb628ef7f94724bfe3b715d6 |
C:\Intelproc6D\abodsys.exe
| MD5 | bae5eb085a9f023b8d36e2a083933bdd |
| SHA1 | c8f3b383d6ce74e8606027a03db4b0ae08c513b1 |
| SHA256 | b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab |
| SHA512 | 93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3 |
C:\Intelproc6D\abodsys.exe
| MD5 | d6b604480bf361adb607df06601282dc |
| SHA1 | 65b0073c443eae7506ad36d24e8789736a1201a1 |
| SHA256 | cd9ea0cbf6d411c9f1bf4d555ec51d8af7413467475a0b53bc32f22029b8a765 |
| SHA512 | a6ecdd3ef2f24cb14843c597a64a1565ee658edd98acfc4ae4fad43cb0ab1c59c99aa9ebb048f3d890a19f5c6a4e713c2f3f4282dad7633bfa8fc17a1a4b788c |
C:\VidIY\bodxloc.exe
| MD5 | ffcf28e8f5a5ca65ce8a23eb52150e10 |
| SHA1 | 7809e32d2e132bfcce2b8d6b8f7c67a15ede0ac3 |
| SHA256 | 44ad5191b84b45045413c555742b82bbc11e0f441e0086d11a9f7c0ec057f847 |
| SHA512 | 1963c51bf51761be0e5feebb2be22f5128368af3d7e99c451e151e795bc9761bd00e35d3ccf8c216a93110d5503e5dbd8531a585a11ba978ed3a5424e586880f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c289488640619aa4212433d6f298a3ba |
| SHA1 | 251b2ac3e446a34bb5183bd4826075da41e56aef |
| SHA256 | 003257d5a9e92ed7a973236adb689fe2fb7e66fa9e0bae7351b4b59be0fb4e5c |
| SHA512 | 16f7e518a09cd5d92ecdfe3df3da975c5f0ea7f962d3be2e984c15b357f0cb43b9602b4df919ae08c1791cc2c276b73145b077406dece019977beb43830fce19 |
C:\VidIY\bodxloc.exe
| MD5 | 780d2ee48bd39971d81984c730e56530 |
| SHA1 | 65f03e5e22f28a3cb833d800eb692b472c3967bf |
| SHA256 | fa96ccb730893635e929b1f23722fad0a6c84faf6ff8686131c31177eac59b8d |
| SHA512 | 10c29ceb0530e92e700aec600ca168a56d7f92da22f3d852b0275d4ce13b8b55cee8cb8be040926012463711dd3e3d85996c92fa74dfd55d6a2b075c1544f683 |