Analysis Overview
SHA256
9c8a319b1f8dc5f5d5e65a41c94be89334edee2182c0241f48e95c26ff816611
Threat Level: Shows suspicious behavior
The file 2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 09:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 09:16
Reported
2024-06-11 09:19
Platform
win7-20240508-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Intelproc8E\xoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8E\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIA\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | C:\Intelproc8E\xoptiloc.exe |
| PID 2208 wrote to memory of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | C:\Intelproc8E\xoptiloc.exe |
| PID 2208 wrote to memory of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | C:\Intelproc8E\xoptiloc.exe |
| PID 2208 wrote to memory of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | C:\Intelproc8E\xoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe"
C:\Intelproc8E\xoptiloc.exe
C:\Intelproc8E\xoptiloc.exe
Network
Files
\Intelproc8E\xoptiloc.exe
| MD5 | 1f295081518b5fb0e2bfee588d561a7b |
| SHA1 | e762c2aee2c71c1ad65364a7310a73d45d81c54d |
| SHA256 | 3d71a7ba324f96ea6c894b6586b44c03360f98e9e598175a0c937c7392b6534d |
| SHA512 | 592b6ec9bccde06cefcf6c2bc30ffd5b7ee4e5743a130aad8876fe2ff6df3c68b51570f321396542ec7c7a3969da8d9380eae1d13417adce92adbd57d2bd97fe |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3d50f4257a816d6449624d78d4ec8ac9 |
| SHA1 | 348b6b5aa0afbdd0d4eea1b7d83822ea7fbba825 |
| SHA256 | 678e68a4965d59516df46e0a6de1233968a94cdaaae388c70eb98427e138bd06 |
| SHA512 | 7802b33a515570467ccb467387276bbfefb19e19b02c98c80f91008b8460adcc3773c811198c7321085a200e1f825bb7d7046416b9e0e95dc9134b426216a657 |
C:\VidIA\dobdevec.exe
| MD5 | 40279f569e3ea12b3dbb541015dfc22b |
| SHA1 | 03db93fd221298b84ed38467a058a231e100bcdd |
| SHA256 | 74e4a7883e810edd198fdec9d7e3af8660b138a4cc37f5b797a6b85690ca649f |
| SHA512 | 66b356b621a46508ad16c8b2e37faf6f3810741cb17860a975d6b10c1f1d0335e0e60ae7d0e05a441381ad04b2baec5ff373265d4f5cd30f7912cb9111f8cd77 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 09:16
Reported
2024-06-11 09:19
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocRG\devbodec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRG\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxO8\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 884 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | C:\IntelprocRG\devbodec.exe |
| PID 884 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | C:\IntelprocRG\devbodec.exe |
| PID 884 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe | C:\IntelprocRG\devbodec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2fc01a8f8856ffee1b061a4774f92590_NeikiAnalytics.exe"
C:\IntelprocRG\devbodec.exe
C:\IntelprocRG\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\IntelprocRG\devbodec.exe
| MD5 | d46c75284cd254ceeabe47ab5b77b485 |
| SHA1 | cc395bc6225ee9c0c2c90e826baadfe5ae0db82d |
| SHA256 | 334510469bdc8c90ec153d896bae55f6a66aec2db4f0ebf5f497580b9146348f |
| SHA512 | 829e4e18e1a504c1217c9bb6aa9a9be13f8927b482b9f9931f3e53926fc4165d32ee7697c138d6f7b010c0aaa3c32488d0a5285ed7c198e41656cf266fad9b4f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e2945d61b85ac2fc7a73add19da4eef5 |
| SHA1 | 68dc597c99eb7abaea839753f8d0e1d3132a08e0 |
| SHA256 | 871b71af2a2bf9744618a2f8c7f2e53bb3335399d20ecb0954a60b50d2e7d2df |
| SHA512 | 2ab95ae480b9ed03702913c7a47d49a798d3ed8bc177c521a0e153d475acfb4dfffb62f73b2674c70a14bf3fa1382c04829b4bab213fa1049a34bff6b59c28bf |
C:\GalaxO8\dobdevsys.exe
| MD5 | 200b954b182c0b10ad20302a66bc97ff |
| SHA1 | 359c4c520934c4a706c174bbefc57451d7c3e192 |
| SHA256 | ed7f640f079553f4b6e4b1bfb9a785bbee3da2ad291cb21c4b0adbb5488d62df |
| SHA512 | 6f3960f07cefa63db2a229778d23d0a6a66f24895fb050ef70972464f4b5c72cd19dcc47af725a6c2bce4f97c4a63dc031a2ecbbd48e926f2bb03d4ad4c658f6 |