Analysis Overview
SHA256
bb3dc86a6fa61915f8126ffd35895ee758cc46489b294c07f5447b08558188c6
Threat Level: Shows suspicious behavior
The file 9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:50
Reported
2024-06-03 06:52
Platform
win7-20240508-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\Adobe2V\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZG0\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2V\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\Adobe2V\aoptiec.exe
C:\Adobe2V\aoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 7c84f308c24709de165ea2eb5a26335c |
| SHA1 | 301c8148e04d81911141639b9e95a05c5b1db05e |
| SHA256 | e1fe491307d62f600aaf00e1d0154e854c08ac769c46adfad7eef918a86cee75 |
| SHA512 | a8d8f221bf5786ae9b76e9ff932523e6582b39c73ce79d2cfbbcb3ebe809300cddae5f0a8a1dd9267b5e36bde8c030490d90eea3c2748ece068e829e3712ebd2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 81717bfd3cc7532ca415d171df7fd533 |
| SHA1 | 7e5df5ad724d5d540d249daa5d306689f470e6bf |
| SHA256 | 7162f8ff32186e23a4af6d2afdbe858150ebf385090889f82b3b7d446adfae71 |
| SHA512 | fc9808453d343bc3c31140d573c23932c6c3d2709a6da59ccabc7b1faf20cfdfd49dd790b454c6ec807da044760a0a0c5690f639e2c5da4da89cc41d55f6edba |
C:\Adobe2V\aoptiec.exe
| MD5 | ab94f16a5b35add8c10f120e1042cd40 |
| SHA1 | 939bb02e96ef6be95129bd990196c54da246ee5f |
| SHA256 | fe39694e97a9956848451ecb3ba92cd170a4249a04c4e05a6946213aafddaf81 |
| SHA512 | f7b2aed69267b889af1794eb5d592300c455de83f6d6151959923116cf93c58afa4a14b198108bc3aa1194fc8b4f0c3d90913f0859049d9ecfc3bd1342c95791 |
C:\LabZG0\optiasys.exe
| MD5 | 8d65a81899be74fc65abc945a6a7a6c3 |
| SHA1 | 141132809822566956809c09083d4e3333b89f08 |
| SHA256 | 8f98230cdeea75187a07dbc5f6e4f30e741c1616ccc5d853b962dc87851e29fe |
| SHA512 | 4492dfb05b38eb193d091ab0b36b301b92ae180105d02736c439130789050ff2d7c76e918555ee4f2afea4437badbdaa2dae3d91ab853327342a8f5b53442247 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 58502fc9a2b66f10e1ffdc01cb0c7668 |
| SHA1 | ba1b2349061ca068201a46e7b6f88e7d0889b3fd |
| SHA256 | 13667dc6fc3d501307d422f23e00bc6ce01b184cf43da4db85acc1c89c9dd45e |
| SHA512 | f95db64b484bf3073d7b455d04c9f1a5ddb59278c74dfd8db11cf532adebd208fbb03a604cfc26a814223435b384c362ed2d9ebcd7cc909aeb8b6bbc505873b1 |
C:\LabZG0\optiasys.exe
| MD5 | 02b553c90dabaef3281041f836265d8f |
| SHA1 | 1eeefbdacf38de1857b1490c9665ff00080349ec |
| SHA256 | 1213244c5516ff5de94913de1ea2f08528dae07052c0d5de3011696f9fc1e3b1 |
| SHA512 | cac039800317dfd152311a9deebf715078df6683cedb9af40fa1ecd347b9a04dccc995014c06308b56e7701eb82bccea5d36aebdc4c88b914170a0d4e92c2188 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:50
Reported
2024-06-03 06:52
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\IntelprocBV\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBV\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8A\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f44883b7c29d97ad05c51791421e920_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\IntelprocBV\aoptiloc.exe
C:\IntelprocBV\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 127bf8546bad301f166b0f8aa29c5777 |
| SHA1 | cc1f1a4cf03bd5faaa3a5d04117acc2f50c42d2b |
| SHA256 | 13bce781aeb7141c97bffb2a8e7eb1dc30cf6253a6c0e00627a71fa3784d6285 |
| SHA512 | b705adc5f7acbeb567d6fb8940cb373c79c299bfaad456f33f406b3e6a320c0823e1b2c5a10ffa71b6424725d63a444384303077969bf714dd1c8b1904c35757 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 50c15c53a335152c1644f22375757d6c |
| SHA1 | 9e72d7552be380cfa69622f280d6579cbbbf2d69 |
| SHA256 | 8b23a3e230ec270875cb8d317e7f0558ae1f343126bd2ded76ffc7b50c91586b |
| SHA512 | fe2588322ac2b94b0587ba88e9c945c6357e41bbc43fd53b0aef4c8f67f68c058587884509e97e047a1b72f73e56ff713cd991246fa68c3071190642026631e5 |
C:\IntelprocBV\aoptiloc.exe
| MD5 | a301c899744d57670986d0686a4797f6 |
| SHA1 | d72f669f0a2d0cf4381b6d915746f272d58bc1ed |
| SHA256 | b043cfdadd5d8e2b9bcb8fcac2d469e365c25e0e311acda8e925ea507191a0a2 |
| SHA512 | 695d015c29e21db88e672ae8977741c2cc6cf6db0f248c017a99d4a25eb1939f232d5c9674f2b5bfc00195cc7cf1e96ffa158bb56616a4f141e65ed4ca67e7a5 |
C:\LabZ8A\optixsys.exe
| MD5 | c5cfe1fb3ffc85f6f58808a90a25e91e |
| SHA1 | ea78a58a967d2365305ccabf1b39b6f7b0a0b7e3 |
| SHA256 | 50c90a817d63d059b816ac95af37989df34e48ec70ef2acc583abb3cf31cab51 |
| SHA512 | 5dc1e22ba14edba2a7edf8e9a293b062eaede2c7b009297aaa3b1e6a770471f162799a9e1d7fa3d802fcdb3b64c0c79bb4ebb9ef8c89d0aa31f21e642d728cbe |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bb0ae2c0f252f182db113945745b8751 |
| SHA1 | 5fe98b69530d3e43cf2b90737dbf5ae1c6a808a9 |
| SHA256 | 7c603c5782f32c7bf700c6e0afaffac1011d06ba90e6acce4133aa4cd2da3f6b |
| SHA512 | a83c0d3861b0596c21b4f1afdaed8434b030f8572ad9d1a2e78eee4d25f004bff2a790d95fe2b3fefddbf9259e005c95da890023c2c6fd7fb9fd29ae2896486a |
C:\LabZ8A\optixsys.exe
| MD5 | 069c7d5ebc20ead441519fc2807acdfc |
| SHA1 | 94eb49acfddc6450c4810d85271299b49f964a2a |
| SHA256 | af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f |
| SHA512 | 91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9 |