Analysis Overview
SHA256
66ea5893da5f545fe768daf4dcc4283f68aa0f252767f410c07897031a8984c1
Threat Level: Shows suspicious behavior
The file 5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 03:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 03:00
Reported
2024-06-13 03:03
Platform
win7-20231129-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\SysDrvUF\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUF\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXI\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\SysDrvUF\xoptiec.exe
C:\SysDrvUF\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | ef23991e144598a474cadef98926c182 |
| SHA1 | 4b4ba5212e3a16706fd80082bab7585d5c534f47 |
| SHA256 | 7666b145bb265b659143d2a4a5e4b54c3c187fba92854a519dcf0b3556d33125 |
| SHA512 | 28d9232884e7eddeb14a6f42db2e22a03b0c2818b8468c828234760bc5a1d0a882646476aca4070098a9a5180518b1db6830b0ae40b78201081946835cb001b3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 395665b664faee94c1bf19ea0654f81b |
| SHA1 | 77320da76557d416678f9a99a88685296739de68 |
| SHA256 | 826a72c57332f744bb48a47c82d9278d11ac560a1b3d90d7f31e322289caadd0 |
| SHA512 | a7f2a3d3cd674c5eccdd723371d07954611e9d7ebe8bc5207075d2366b698247a8ca110af72bb33d14ba883778f2b193d5964a915c8b4cda5e858cec255e43c0 |
C:\SysDrvUF\xoptiec.exe
| MD5 | 16414f94e8eef580b710d8c0a876588e |
| SHA1 | 17b31e6cb75d000cdf16965d5d8c5e5412a47dc7 |
| SHA256 | c0e3cb2c628391d887b4ea143607e6433beb57e927ae475faef3556f719b3a2f |
| SHA512 | 2fdad2cfb02ea52feecdd5936b5861026cae2a2afcfe334d0c082f664a9d48939d33607f767f19c3867945b87a09b2c8f615b0bb1c111dcad822c3f9774b6cb4 |
C:\GalaxXI\optixloc.exe
| MD5 | 3f948f48bf3325d14130257f42f8ae8e |
| SHA1 | ec000f67453883be54b8fa5cf6b645bca8d39cfa |
| SHA256 | 02f135639a3cab6d5678fb44704fcfce256ddccae8df47e328ecf07d0f085975 |
| SHA512 | 1a7534f46d86dede05f208f7024d4047191f77aab40b41bd54f97483d36acb72c99785be6c99e27cd5ff3e1bb77bd8b884652f73baac993751e072d92100b703 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 87d07196382848a90d96da5c48d897b7 |
| SHA1 | 333031bdc9753c00d1e7d2717e6591eea7cba199 |
| SHA256 | 74ef07f52ce66c28d176e809d6d65bc21d7e4df4bd45df449cd553f7c8ce0b12 |
| SHA512 | c5d0addbbbc5798818b523d9c114c3f068c517d563055a8a6c7920e410addb363d003b89bc39ab9716710a1374ede8cc53305d57d9bf1093a05a1ce05a259bbc |
C:\GalaxXI\optixloc.exe
| MD5 | 6beb2543b5a53bcbacf6fd739d512aa5 |
| SHA1 | 4593bc47ae977532f00d4d9c33a44cfc50651671 |
| SHA256 | 6aff5fdaef87648e8ab2dd0a14129f23955f5e7786b75e3044e1002def9feed0 |
| SHA512 | 63d71d8c24ad3a6dcd97336074e4ce0f75a78f7c981868b19f7fbd046e7f6ebe18460adbc5c71726b3b565bf31ba779f9baa68b0c77553bb043a605ec84bbec1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 03:00
Reported
2024-06-13 03:03
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDot0I\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0I\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7Z\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5944df99886d49561a1f0aa7d36650e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDot0I\abodsys.exe
C:\UserDot0I\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | f788191e55f6f1dc286268bc20fd161b |
| SHA1 | 8d64e40290535badbdfa75865a63073eadf27720 |
| SHA256 | 3da64e5522ce3bb6aca0fb0c3f10415ae2a20afaad72d7d2e9fa4e74fa1ec1dc |
| SHA512 | eedd57f0c2a54b9ac0cf0d03ce0fa33cc0b4efe9a63efd8ae8b00ad46b641d82d614e69219f73ee0d4a934b8309edfb962d23c825270f4f2482529950dd106bd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f893d41e5d24a6ce4e89214978853800 |
| SHA1 | 597106a884091af1bb3f46a3ef9f9db29e3b07ee |
| SHA256 | 44d7e75939378bd54fb2475637417be34af8f4ec4c82a2fd1576446fac75a81c |
| SHA512 | 86b12bc34a428dd295c5cb367e2dbaba4d4db2f0268d36d24514c6011bf7102f9c4ad728a9372301ee09fa764d5df1dc9eda73bd7163441813036fa89f1731bd |
C:\UserDot0I\abodsys.exe
| MD5 | 792466f7ad626e6dd296a5c306b26336 |
| SHA1 | 9531783bf97d9461a48f70e12148c34d6f5b86d6 |
| SHA256 | a04b96278e0b59fb98ae592a45ce204fad1efd29a1c0a6ebc124ff6b019871ba |
| SHA512 | 48314191a0c8fc5130b861857888a580f4915c08dca439e8c9a1d4f14f4da93262c452af807ee81e2c7d3573b9622503d6e252da9b5a81c771aa1d0a72809468 |
C:\UserDot0I\abodsys.exe
| MD5 | 2664299bbb98ca1c7f29e922bf8aa53d |
| SHA1 | 7ec43020f80698f6d389a1ba767c9cada179aeda |
| SHA256 | fa2258a745e41193f912a3e0df0ac4c3fc3cf121e008bd830d26074a0ec9e37c |
| SHA512 | f7940c6097cbc7a54ef625876f9d814a58cc6eda666e0daeaa6b72e809011bf7efa8a45b5ba1c56bde5672f39c17fdfeff91d3f0412cf3f69018af1f1877dd4d |
C:\LabZ7Z\optiasys.exe
| MD5 | 847992f1e365618c87cc66610fe7abb0 |
| SHA1 | cea1dfa9d6574f0a11caeb7f6cf720db00895eea |
| SHA256 | d3e2b8d6f6c80f267f7595f82c7b14d0af1b248cf8f456324564090319262d80 |
| SHA512 | fb786680553859fd37c2cb8458968a799ee232ac14842b3e14e088f61909cf2ebe44c9dd94673c3a406607ae568a4933f4bd007fd4e36fea51f5f7496dcfc4cb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ac8474afe4144ca9f38633ae361d14c8 |
| SHA1 | 51474e968016c99e5925f28ff7505f2c7f619f59 |
| SHA256 | 75c5dbd7af755ee1fd59d73d1712af1a995212f989cdfaaecf1ca92914e6c899 |
| SHA512 | 9b70209dab1e17a39739120e400fd4c8b5744ea8870341637cca6348582bd20389fe0bbd757397000fe17c13b105301092fcb9779d550ea02b20256d1d61e720 |
C:\LabZ7Z\optiasys.exe
| MD5 | 4ac391cfedac679d10e94ac011bd3f8c |
| SHA1 | 669dce02d607ea222d6aaa119021898a97ed818c |
| SHA256 | 9fdbe3019f0674c70bc3816a542151972e56c3be32402270d326cc5697c3e273 |
| SHA512 | a54d5f721626fe8bf176101e563cf7a1b9daae3b235c66735403183f4cb716f4110b014a8617ddf2d71b9cd71adcb89df8fd81b383315bae6a902e3aeef29f32 |