Analysis Overview
SHA256
1ab17e03fdada90dd88aae5d633dfefbc9b2b213be9d04a3cece47398026d5fa
Threat Level: Shows suspicious behavior
The file 4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 23:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 23:52
Reported
2024-06-12 23:55
Platform
win7-20240419-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotXY\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotXY\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4M\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotXY\devoptisys.exe
C:\UserDotXY\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | cfccd03fb399fae0df49b9a5137d9879 |
| SHA1 | bbbcba2a9ebcfb47e68efba2d96626e3f540e435 |
| SHA256 | a0a7fb72c0c48f692e1291597fac4c8a1d7d19c6fe6d601e62d8942c61bc7a17 |
| SHA512 | 5aeb526aa3d8930d46a89e05f00a3c1ecc18e6bf85fb46ce0e106aa0a529c0ae976410d2b4e1e2262fe6e8234621715bc1d2ffd89e5ebc89b7d6e5a00b65dea8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b1be5461e8ed0fdd490776935e800386 |
| SHA1 | b6de9671a467188583deacda01eb81525692e921 |
| SHA256 | e5323be30ae88ea7960307cb941a069cbe3216db3010954beb5b76bb5baeb27e |
| SHA512 | e43df038a4174cbcb1c3b4e0e7dd889af6af90ede5a01b12824bcf683cc71ccf2fa3a35ed960a0946e8be778b2b9803ee0baa1594e8c455836a4600795d792a2 |
C:\UserDotXY\devoptisys.exe
| MD5 | a23bcd9bcc2271d3305712734deb86df |
| SHA1 | e571d8260c1b11b5855e442d1fd5eae863063380 |
| SHA256 | 05564f8e200042cc920420b1cc46f4d96f7546eeb2a362658871cb71071c3774 |
| SHA512 | 30fc05df0c063c0aa840d5993bc23c5e20aa8b22ded5d7868658955731be0680fdf33e366c720d57764677c3ce1f15b9c5076c38073894a9ee437bf09f990853 |
C:\Mint4M\optixec.exe
| MD5 | cd598adf86d0e01572972267873b2672 |
| SHA1 | 43346a554a6277092fee77f94682bc9ae7549f25 |
| SHA256 | b64893bfacbbeee7886581e12d7b83ddc95bc91c9d3ef58a86b848bb2e1f1852 |
| SHA512 | 0f57f456c7e6af19e94695df38983b251f81abb9e47a31d8831e2f4304c09e82a8fbc1a4e554b2953902823321f54588e066c037476376cbcfbcce8f98a06846 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | caf6408a219965c3a2cd29fc315d02c9 |
| SHA1 | b5513b155e330264b799edb07f34888765d9cad4 |
| SHA256 | a3204a8fbf8aeeb5713890f513619a1a2c7cd613ece0946f4cfc30250dcbec34 |
| SHA512 | f11a3f465b238cb30a221e422b30d92fa8cea42985bed22e330089910f0cdba222f45ad82923ded1a7a1bfd810ccd76e226cd564917bff71c838da0b4158bec8 |
C:\Mint4M\optixec.exe
| MD5 | 983d91076d128fa70e4fb2ba14553c2c |
| SHA1 | 04cb956b20379f1db25e5581502732551f85e2c5 |
| SHA256 | bff44e1b659ba7864f41c14ced34ea5b9fa9b3b4f89337d27917b0e001691454 |
| SHA512 | 6cd05e49364df66e0e54731914304020f844278a784867737834ca9ba6a8c618c6a6e11cec13b7186c10ffc0e25f78df387053ab8e86f86f7a6dbc75faac00d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 23:52
Reported
2024-06-12 23:55
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\Adobe7H\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7H\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7B\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4e162a2042a856d33ab3989d2572a600_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\Adobe7H\xoptisys.exe
C:\Adobe7H\xoptisys.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 3597cbf638cd8e1b3865c0832c73f9e1 |
| SHA1 | 315b91825f9dff1ab80ba4591819a05494960581 |
| SHA256 | c3a40475e296fc0eed01284dc0f7952bb93245e1245ba116c93a45160f385eae |
| SHA512 | 9dfe956be7799c692d24c05ada67e5e425117fa6100d8f6eb3761bb70ea075492acffb33e32a0fd956e48240e37216d55cfe949cefb7fdcad4195f4bb1cd4d62 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ffaa8f5b267d209a4b61366b458b0679 |
| SHA1 | 7f9effe04f4a1de5f0aae4ef4659ae94d7bf9264 |
| SHA256 | 2d43757e34c4cc2f430a8e4d5c4b3109a2b226d49086e751cbcacf0cbec4cd56 |
| SHA512 | 8ec34760f695bfd5effabade3d4d982c98fa556379f058d1590b7dafbfae5f0fef4cc33e421928739582a603855a350b6fc71fe2df5e50df1a8c630fb0eb8213 |
C:\Adobe7H\xoptisys.exe
| MD5 | 3543c1e396994be5e6bbca6203a5cd67 |
| SHA1 | a949179331a3319ce028d10fde280b2d3f02bb4a |
| SHA256 | 791e90b8a2084e31c50e95ea55ecf0c4b99a20c49e2ae7b1a5f0d679ff4e4858 |
| SHA512 | 52c9c5d5c16f9f9ceafef516113959565fcdc174f3434d748b4e2d71de81905ed0afee3e5092dec8ccede38b0fb6291d973a15e7367ef717d9dc8afc1e079391 |
C:\Adobe7H\xoptisys.exe
| MD5 | 1514c5739dc79fa7e074dfc202469a66 |
| SHA1 | 4b843a3811ae464b66ac8e496cbaf3c0fb6d07aa |
| SHA256 | d1a01a0ac306f39fa0dc65d271d7f80d63a9c4b93ae320758d95638d97605f29 |
| SHA512 | 9027ee1b867c8be4b2d36b73e616e7f817f84704fcc131bd3d3b56502c6ec2a23c41d8ad65d4043cc91f58bd8af241f20e93225222b60561a31cad5547daa69d |
C:\Galax7B\bodxloc.exe
| MD5 | 9dc5258b4d283aa317e1b9eadcf93fea |
| SHA1 | 72eaaa74287a11bd86f9df13853578d7baa745fd |
| SHA256 | 46797b15b25dc39ca25533f01835c1a807956f1e86cb64124140939aad99b6c7 |
| SHA512 | ab5c0e5016e8f9cb4a9f2a7e502a81bfa75615208c25981274d1c6e944fa660b823747aa61dbef5299392e2f44698350f859e5ca960490ec7609552043443bdb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b7d4e789dbe8aaff0e22005232d66884 |
| SHA1 | 561bb99b8bf60cd817be81e70a1514013689ff99 |
| SHA256 | c7f42ff3fade416c4e09e9cdebf5138afb6512685c9b752d71f535446d8d5eb9 |
| SHA512 | 9772d0d833083c9f49d10d230410304c5e2cc1c361d08d88fe665d101dc041a8ae5b7a388fe62086ff833a6ad91f22ebd3d616e985b3b96f7705ec292c1f2943 |
C:\Galax7B\bodxloc.exe
| MD5 | b2c1da885985d7126ff7db091c16829e |
| SHA1 | 57db532c749a57aa968b1a36590d08090165448b |
| SHA256 | d57eb32787d6841d7ed65183a1c8e1f3f343fd04383108086dc973f97b649076 |
| SHA512 | 81ce05eb46346421e265eb6cef7b1c69fb3d8bb64f5c88bf5ba76cfad3aca9e95a6ce6cae81e14884bf072a6ede0b2134bb5a2061cf8d01ca7a87c760284b6ec |