Analysis Overview
SHA256
d70cff4de4ae2c63847f031c86ac010e0b4a31a43ecc3137beb170ef9109f53f
Threat Level: Shows suspicious behavior
The file 532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:20
Reported
2024-06-13 01:23
Platform
win7-20240508-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvPE\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPE\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax56\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | C:\SysDrvPE\xoptiec.exe |
| PID 2236 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | C:\SysDrvPE\xoptiec.exe |
| PID 2236 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | C:\SysDrvPE\xoptiec.exe |
| PID 2236 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | C:\SysDrvPE\xoptiec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe"
C:\SysDrvPE\xoptiec.exe
C:\SysDrvPE\xoptiec.exe
Network
Files
\SysDrvPE\xoptiec.exe
| MD5 | 5eeeca5aaa3de19c88443054b0502454 |
| SHA1 | 4f55e98b286e7c79cc2eebd2a6b3d37b0e56bedb |
| SHA256 | cef800488f53e13e8754e09f0c5576ad71fd7000b4affe5f0c7965106b4de561 |
| SHA512 | 12a022c78da646c839d82a7982a58ec4c9c352f69ef0b03cf201dd7055e7254a773cf3b7280c9160fe8f92b332cd07ed8e3652e72e04d0429a062690be412cbf |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f717628df3433748891f7f935350380a |
| SHA1 | 6bf5b3ff8c45264c8d03a73d809fe38296980a79 |
| SHA256 | 22a67ace9321fe714e9b1acbc76cfe0ae64c25beb197748ac3bbc19adc764d88 |
| SHA512 | ea515f212b01e6c11968b06ece942a021e390049019c081ab3b42f5fd1385deef642e0493f01b288e783698298160220457d1e07fb1046e4e085aaff57f40a67 |
C:\Galax56\boddevec.exe
| MD5 | e141b94762a21096cc0ad431004cb0c0 |
| SHA1 | 985b935412f15faeb5faa6ded406d9447ebac1e6 |
| SHA256 | 0e88070fc2910e9779baa6303204d9f29fbecb1d1d298495a03dc2d35c858c31 |
| SHA512 | a7566f2574cfbac98f003c6a9980037bbdfa598be51dacbd808b50c49acde3611842785cbc70b4288a5f93f3dda8711781ba3bb63775d64c85b6aaa414138622 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:20
Reported
2024-06-13 01:23
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
51s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesOH\aoptisys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOH\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8R\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3664 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | C:\FilesOH\aoptisys.exe |
| PID 3664 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | C:\FilesOH\aoptisys.exe |
| PID 3664 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe | C:\FilesOH\aoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\532ebd2210ac39d6f3f1c68c153a57e0_NeikiAnalytics.exe"
C:\FilesOH\aoptisys.exe
C:\FilesOH\aoptisys.exe
Network
Files
C:\FilesOH\aoptisys.exe
| MD5 | 466beda380ad058b78cc7d7b70da3cf8 |
| SHA1 | 101300e4e4d13cff76fbe46068cefc76c50cd3fe |
| SHA256 | a6a83e3a649b81ab4855d83d34dc94905862af476803123a4ac12bb6f697e981 |
| SHA512 | 1e113009eb4ed36c867c2338c77a7c8b58164185cb94da508007b1ca16d12b2adca85219d95521a9f27be0c328a3dc0efe5395d562f924fba0d94da3cbc99340 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 222965938db77832ebae202578561d2c |
| SHA1 | dece1b3e3cbeea87d809add263f325989ab90ef6 |
| SHA256 | cd8813dd0ebb899095bc7c0429ae0ca9f0886f8877e398e1cff2b7fe6ba4f98d |
| SHA512 | 628e75f66aae1bd33e4a0c37e350e5ebd717e0b51653a9f2db2b599f14049293fc6bdc2731be874dcb445f1a4ef47a7ea45116b9a8d39adcc1efc87dc9803deb |
C:\KaVB8R\dobdevec.exe
| MD5 | 783327c702ebddbf3b11ed583c718ef1 |
| SHA1 | 1cdf82e60d22df3bd85238343bb3099cd0bae232 |
| SHA256 | 7449923eb48f56e44649c988eb50a7f43054dc426b8573a1659842a7be4de743 |
| SHA512 | bcae727c919330049f099713fd497a102ffbeb41a5d64498ca9b1ae5def9afe34788d59d57a7511dcc464a3e2191378a993f371aa71a443c7432483d91b9e5ad |