Analysis Overview
SHA256
82b1f1d0604e41e8d91dfcbfcb6e1369f8db744e30965909725e0bf3e0dd860f
Threat Level: Shows suspicious behavior
The file 624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 05:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 05:30
Reported
2024-06-13 05:32
Platform
win7-20231129-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\AdobeYN\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKG\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYN\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\AdobeYN\aoptiloc.exe
C:\AdobeYN\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 564579c1c38e1e3d1d0019da3193ba5b |
| SHA1 | 59e25455dbd9b8a601a8e8e90c0b3a1e9cfb9092 |
| SHA256 | 96819cea4c71cd139321c7a306d7826e92af433ea936818051829911dc49829b |
| SHA512 | 155443a5fa0b78bdf64bb0894f04b15ee06bb2466b02d8b0b64c9ed2a2c38d984a8778ddf81c086b0e657b3787035ff9c4256911193c702eeb993b2e092c79ba |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b7a6fb4d87619ee60f2c258d621076da |
| SHA1 | d248a2f9dbb505cd32526712839217197ff37f6d |
| SHA256 | fa6e4c3ab616d5c62eb9b4287e013b913ac7df9c98b2ec3a5f8afd6c7cfbc5c6 |
| SHA512 | fba89216b0ddd8f87242a26eb8c00bec7ba808db23a45047cbb38a0fa75f8fe080a9411beddbb9d65416d420aec3e04dce7aa742a2776cdd3736a689ef6c9c2a |
C:\AdobeYN\aoptiloc.exe
| MD5 | f39a8211c5ea5f89c967770efddf01d9 |
| SHA1 | f7824f7c819a817b5422bd3ef1f2935586ac2eb8 |
| SHA256 | 97475b544361041736c942c47af1cda4c70cce0bb40a6ae093d53240c226d3b3 |
| SHA512 | 24f31f4c2ba90c2117381dbfdac818e519676344a7f3470289d34f0ed3f56f8c095309a5170996f9fdc10f581b02ea1184a627313757aaadcde2be0b4a33b68a |
C:\MintKG\boddevloc.exe
| MD5 | 5cb31c43b5aa7df4d46d676da0d66b0f |
| SHA1 | 097d69b837a89f4163162d96fa03c12cd1fa8859 |
| SHA256 | 1bf58243270101e8546f60162e9dfa1d2e69d3d46ab0398df2304967405616c8 |
| SHA512 | d82248fe4fc1d6c0a843eeb7e20bc4828f3141928c64c088210010594c95eaa3c4b8ed923afdb6d3927c2e35c6e69f45b8c187c9168f45ad6c4c0e4794bfbefb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dd4a1a2aed04f2c6bd6670302b6752e4 |
| SHA1 | ca7555259420333e431b34ef1a1e4a68a4f0b8f7 |
| SHA256 | ec38c4b61645319a4e45f05ef1964c5bfddfac58bf86f3008698c2dbe3f08859 |
| SHA512 | 23fe476b7717fe4dd4e566434de3292b214a2b18f49c62114950baadb77769a6f6ea671e45f1d1e6fa747dcca8a00cb1642b527d82ccbc36767e1b3b29380977 |
C:\MintKG\boddevloc.exe
| MD5 | baebd565738a73b1785d23f85b9b1880 |
| SHA1 | 3e776227196d9cbee3a9edf120876f20e6af105e |
| SHA256 | d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7 |
| SHA512 | 3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 05:30
Reported
2024-06-13 05:32
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
52s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\SysDrvNO\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNO\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidD3\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\624002f183a1ecc2a19fb2a9e53e8a30_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\SysDrvNO\aoptiloc.exe
C:\SysDrvNO\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 2473a29f22664f791ae367d861736c1a |
| SHA1 | b96b57c36ff350df06bd385915c9c14ed00ec661 |
| SHA256 | 9581f52b7ca918791f7d3fe656eb076f12ee9c917d30088916ae38171e857c94 |
| SHA512 | c79b083fec3c568f234e996552179efbe133f77f8d09e8a4969d95b72fefb9911e8bd7665b68b01bd3575285f22202aa56a150749da4ab7b350a9a1a8510a5ff |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8be621378466ca9582fb9ac8b0a0b95f |
| SHA1 | 58a15f103f665783fba4d6e5892874c1abfd5c3b |
| SHA256 | 4bdfae454d5145a33a392e90a902d740ff5cff89acffc48ff6858c3f3bf327cc |
| SHA512 | 4eacbfbc97123c976743bd3b3bcb630ae010d2fb6fe56847d2a371866661f77ef653360cb3f642310a7f440c9dd967ec5b58ddf5f2f8ca03dfab6786606340d3 |
C:\SysDrvNO\aoptiloc.exe
| MD5 | 0064d9a4619ad25b1febcbcdf19e1838 |
| SHA1 | 49aa73acd49aa13633aedb710dcd8ba57be6cb7d |
| SHA256 | 84749965b09850ccaecd687850d6a5cc62011b5cf30784fc3e92e847cc3d6494 |
| SHA512 | 67ecdcd6e1e29d655616400866ae32d285f7b039dbfb5cf294bdc7f57df06901a85aa21cade53100e30c114c846de89d40bc65c0af4a095fafe7c49899b3a8ca |
C:\VidD3\dobdevec.exe
| MD5 | 004b074e1a7776f70cdcc1ddd69fceb0 |
| SHA1 | 5e214e369cf792eb88ff77fcf984dadffb7afe1d |
| SHA256 | 78ba7c04bbb49c1d45ebd33f485eef4000e543b92db6cb95ed03b4053bc909e0 |
| SHA512 | de7e902931121bc2e612c77f79453d7e4b92975119c2266423001b4633530a5e290ecd073298deeb354e3946c508b7bf8807909998ebea8bc83cff6be3f9361b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2b531141d587ea181e69aed094433648 |
| SHA1 | 328f0950911a272226832acbb268e4594d7ee7df |
| SHA256 | 00132e82ae70276c29a46cdf852355301690b80a0cd534ecbd95b9c783fa0a3f |
| SHA512 | 1b4fae9e3f34684ebcf3309cf764c4702b5d8cf02eb04a4a46da5a0fd7f257d7e13085380ad51a3a9eeeb106bef16b470dc96f90938bed4da4d93c9805a1de5e |
C:\VidD3\dobdevec.exe
| MD5 | 1e5182e6feb4303fc958bd172534882a |
| SHA1 | d1c159cb32ec61fe59912cc29d74bdad3009c99a |
| SHA256 | 2a0409b99799f1de5088fb7d43363a629f9ce287040c299a4327676a4e35d1d8 |
| SHA512 | 14529ce95001861b60f81ed5a6c16a23979f139b85ebbc87b01e9497303c4991b764a99e41d5abf63bb3761b0b28044dd30c8e50aaa966ffd1539f00a0577820 |