Analysis Overview
SHA256
8a42901d4599b31b0d7bf8c7eb9be802fa44c326e4272fbef9e2f324c4b2f94f
Threat Level: Shows suspicious behavior
The file 6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 06:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 06:18
Reported
2024-06-13 06:20
Platform
win7-20240220-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvI2\xoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvI2\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJ6\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2912 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | C:\SysDrvI2\xoptiloc.exe |
| PID 2912 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | C:\SysDrvI2\xoptiloc.exe |
| PID 2912 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | C:\SysDrvI2\xoptiloc.exe |
| PID 2912 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | C:\SysDrvI2\xoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe"
C:\SysDrvI2\xoptiloc.exe
C:\SysDrvI2\xoptiloc.exe
Network
Files
\SysDrvI2\xoptiloc.exe
| MD5 | 3bbea5474146f1443b5806f3f95fd43b |
| SHA1 | 9087def4de706c9ffc78aa1accae5ed697fb8cc2 |
| SHA256 | 96db98ea165565ee44ffc01d61b4fc8acf2b05bb902df31a241942bd28e134ca |
| SHA512 | ffaef28fe2e85dccc771e2641e2c71908bd689c63f2780d7772b63181e463e8d53424cc33950b9de6388af569aec4e1e67dd978caabb98a5e124890e9f52326d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5bd682623dbf12f1b12e24fd9368ad30 |
| SHA1 | c0a809c4bf7eef2570f8b7e4ef3c371e4e68bbf6 |
| SHA256 | d4afdb71210a26aa1b39219bccb3c3c938013b94fe0628066a3271e67cf136ac |
| SHA512 | 9fb43b479f1f8dc38e425739c8789ba724e27fe857ee27a151a9ef184ace2599d2e12dddb92aee60707503f949326b3d8ca97959bff09d08c637e4dc676bda7c |
C:\VidJ6\bodxloc.exe
| MD5 | 1b984ee2c3d927d86a22b995692b5a00 |
| SHA1 | 33605b020f501f87a51a3fa7ed7cc6c55872d05a |
| SHA256 | ffb61654f91dbfb6f3ebe637261c94e13fac1ff8ba1e23819ac71a81d4233a70 |
| SHA512 | 56282df60792fa3ada2dd11330deae26d055af11fde8cc6d32fa9d1f4e4b47ac4b4a1ba520b80a2c7852e8a2fefbf331d24b3564f02dcd51ea7bd4fb22568118 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 06:18
Reported
2024-06-13 06:20
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotT1\xbodloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxT7\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotT1\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3692 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | C:\UserDotT1\xbodloc.exe |
| PID 3692 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | C:\UserDotT1\xbodloc.exe |
| PID 3692 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe | C:\UserDotT1\xbodloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe"
C:\UserDotT1\xbodloc.exe
C:\UserDotT1\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\UserDotT1\xbodloc.exe
| MD5 | 0aa1f85641900ab469ef7dbf5602a47d |
| SHA1 | 40d8f9880f99b20da62f2f445fde4713e7b58a37 |
| SHA256 | 429f4dc96f799c0c27f2358491cf7661944e794aabe161e86c1cfdae3dc8ed5d |
| SHA512 | 9311e3e0421e75b148f7361ef3ec6385b3c11fe425e24ee0a0757bacd4ea491384905971fec9ff88e577d362a0f1a108db75588f0d9ed76179455f591ad8664c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | de490fa2751cc44ec20801a219dc81ba |
| SHA1 | 286bb4891a1052fc7bbc3f81aa780e08ad3d56a1 |
| SHA256 | e39cf8c8e86c5ceeb82cb821e69b82a4de69420fa2ba666229c3bf9a5cb8120d |
| SHA512 | 5f237dd2bd48afc875f58ca779b34009b74c520d5d450f72da0534c1a401afa755a152e7851b7e0ec02f99c7d854b86a71092af9e63c708a436117bd8c76a33d |
C:\GalaxT7\optialoc.exe
| MD5 | f154b7394805b7d8634e344b52f902df |
| SHA1 | bc4ff289e55a2ca865a8ddad7700c557a23c5e27 |
| SHA256 | 0141dbdb593d7729a8123e242ee5a031b9af386a2b3eab0724b93e9ed753e719 |
| SHA512 | 734a9ca78dcb702fe65c97634621ffa66df96a831ee9faafd422bd8e48b058f02364035250c90262a14ce033c1664d933a5f156535f57932619c752b8e579952 |
C:\GalaxT7\optialoc.exe
| MD5 | 8be19da987f9c686dd25335d31a5ec3a |
| SHA1 | 498d05ad243e7f558a00de1cf99d801396efc237 |
| SHA256 | 377d52a13f3bfdaf2216578c7350dab133620e7d8a6ab387e77ae65954e1a524 |
| SHA512 | 669be468e9226faa60d0573a8f19b808e73e0d1f926625f3b7d8e83b0b99dce6b9f6a22829e7c6d7c1478e66a8853693e921dade0b38c4650e61f52fef66122e |