Analysis Overview
SHA256
5005583fa4f8c5871a75859089148fef2e945b754405f7df5fe22b5e11723c8f
Threat Level: Shows suspicious behavior
The file 3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 13:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 13:04
Reported
2024-06-12 13:06
Platform
win7-20240611-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\IntelprocQ0\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQ0\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid95\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\IntelprocQ0\devdobsys.exe
C:\IntelprocQ0\devdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | a63651ebe4843d04a7bf7437df70a4d0 |
| SHA1 | 9baaea919f3bd9d9f1de1e859d087a680730a0b5 |
| SHA256 | 0fee5ce2672ff97d9c9364d406a6666513f5fa69d9e2c307fe528d3a13d88afc |
| SHA512 | fa0101ec88e32d16830a67ce3b8b09e37896d1d3ac622261f670bcf6a35751dc75a0baede793eb2572613c8448e302433d3990c7a6d2a8d258ea3494386a4566 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b88d0ab625398d17b0aba6f18964ad0f |
| SHA1 | b30e945ca80c2e1805dbadbe8381129a17d9bc10 |
| SHA256 | 65151c82bef73a4081b6085dcc988b45824c27f978a974ff0fd167dbb3bbf402 |
| SHA512 | bccf85d92eaa4f5a3168cf72c97d3188a7bda83e551c837f66e21f91118a4d242289bcdcdd75a74e213f917bdf661ffb09c2c67b63a80540e29bd9224e75a6d5 |
C:\IntelprocQ0\devdobsys.exe
| MD5 | db355e50f8db9e5b2c0c6df33eaf579b |
| SHA1 | 5025e1e6d3faf06c4f49aaf8ffb13eabd8688f0b |
| SHA256 | c6717e13f79c71f63a1296e8e09eba364d0a0e55a5b1689554a8d61ff37d438e |
| SHA512 | f45e0358d9ed596d79da0332fb640a50ca8d9e52fed339f7eed698bb86bce5b41035d1731a048b6e09f3f7c1e0b8fa0633c457386e567997d175346e1fe363b7 |
C:\Vid95\optidevsys.exe
| MD5 | b29a72601251746414abc29c606ad768 |
| SHA1 | 514d897cf8590317d32fc72c66fa9d57a0f4d5db |
| SHA256 | 9eb7276d9be2c5f36e5396ff694f69205e49416d133cfd03421ca930c5884822 |
| SHA512 | 059b99e976870a216b0a5e9ad4b9faead797ccb1c5ffc6f4232ba175d17945a3b08ca85936462f9c5d02cb1ff1a3b4fe4e9d3bf36564ed572c10fd5d6cf5921e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 36540c1ddd4d5293339dd3bae83466fc |
| SHA1 | 589101cc087400ffd1a9bc2e27674ee9e1538c49 |
| SHA256 | 1f334134c89bc2c38a7dc0c9ed99eea1b307e32bb6eccc5030e8164e728d5b9f |
| SHA512 | 1884094807e779ef2abd931206c3bfce4a9cd4e01e7a53f0eb6db15881c68acfb4488d40ea34ba0c281f42968aa24d7c61dbb8d4977525b6509b511e0d4a0719 |
C:\Vid95\optidevsys.exe
| MD5 | 06420e2c319188be1b1755419f3c087c |
| SHA1 | 75da99c9c2873309d43006d788cd586ae3e70193 |
| SHA256 | 8e67cd528e7f94b8e3153cb4e5e4fbae5ceb282fce8219e397a6d141f7aa9139 |
| SHA512 | 253418e5e2e2560c72f232bb0ca122f111274eb0cbac61a59e99c58a9d5ab2ee015ec68c60a72d953e0fa092d9cf18c6180c6e0a29725c0f05792c1feb3a2134 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 13:04
Reported
2024-06-12 13:06
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\Adobe7H\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7H\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7B\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ca6e86a4c59ac5490197169c427e720_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\Adobe7H\xoptisys.exe
C:\Adobe7H\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.48:443 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 513a5c2f5e70d6850168036eb4a6dd73 |
| SHA1 | bfa00843a4ea9e8a9e4ac3c36e0c3597cae95233 |
| SHA256 | 88a82acc196db2828f959b059f76595fd33e3af9ce85e9a10dbb085084d3849e |
| SHA512 | 7950a78aded65ae7cf50a6b136ef5f41ad6eabf188a2596ed16965d3b71deba501c5a5f60b4559ee0e238d97a8837b0888889ec01d8aa73ac118ff23a6b7ddc6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ffaa8f5b267d209a4b61366b458b0679 |
| SHA1 | 7f9effe04f4a1de5f0aae4ef4659ae94d7bf9264 |
| SHA256 | 2d43757e34c4cc2f430a8e4d5c4b3109a2b226d49086e751cbcacf0cbec4cd56 |
| SHA512 | 8ec34760f695bfd5effabade3d4d982c98fa556379f058d1590b7dafbfae5f0fef4cc33e421928739582a603855a350b6fc71fe2df5e50df1a8c630fb0eb8213 |
C:\Adobe7H\xoptisys.exe
| MD5 | 3f85beaf970f439cbe76075586c90e81 |
| SHA1 | f71045bcda4a2af38e332e1e38bf7009d0421a3d |
| SHA256 | 77235988fcad75b5797d5c575658143c5738f6c0b65b64fd1f7d39c2269f6a5f |
| SHA512 | e6f2857635855be8be2b16a057239fadcbd7c8239a1c2725f4bf8c03bd455903dedb91bcdfa625e1ad3360af80a7ecdf887c52ae96e7e2c97a52da4e19f93a1f |
C:\Adobe7H\xoptisys.exe
| MD5 | cf6ed2bff14a722e416a6a998e6c7fc6 |
| SHA1 | f584847591f7748a78f4367f61e58d0f73f0b6e3 |
| SHA256 | 044133cd5ca4ecd39634a17212019beddd0a8023da7e01ba86771e78cc97746a |
| SHA512 | a9a81f98a4d88827705bfe087638c7010f4ef840a41f3e15b83ff72ad21a9483a79f810031c404333a154c276322421bd5c4588d2f68cc9b10900aed75d29f57 |
C:\Galax7B\bodxloc.exe
| MD5 | d485821803759891c719fdf3ed0e8d7e |
| SHA1 | 867ad8cc0a3483b517078aaa95346df470093355 |
| SHA256 | 97f90fb3f83bdcb5fa1f3f975ef440c8a3f70ccd0e3229e39e22a32b27db4a15 |
| SHA512 | a88615e54d1e8eb453f1e3db6c6fdfc57b9cfd77c248018a37f7d7cd81b6b54c5f29e662e8b075a17e2cd8c8ec417ab6a0f527223ee84204243887ce2fdf30a3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b7d4e789dbe8aaff0e22005232d66884 |
| SHA1 | 561bb99b8bf60cd817be81e70a1514013689ff99 |
| SHA256 | c7f42ff3fade416c4e09e9cdebf5138afb6512685c9b752d71f535446d8d5eb9 |
| SHA512 | 9772d0d833083c9f49d10d230410304c5e2cc1c361d08d88fe665d101dc041a8ae5b7a388fe62086ff833a6ad91f22ebd3d616e985b3b96f7705ec292c1f2943 |
C:\Galax7B\bodxloc.exe
| MD5 | 39baf1bd01bfc2eabebea56223e7f3e4 |
| SHA1 | d7f8505ad4245753b9ce1fb673d4bf24fe478bc0 |
| SHA256 | a17c9d4589459028432b687ebaddf2538f65a939ec0f9c2c1b3506b41273efbc |
| SHA512 | 7d74fed9cc93c97460701b53edd28803726d38b9ef4c043796eba33ed5d394a80bd5025611256d930b894bbea91ce5ed4c85909569bb8f2836c60275f588d97b |