Malware Analysis Report

2025-01-18 01:13

Sample ID 240613-g2qvns1drr
Target 6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe
SHA256 8a42901d4599b31b0d7bf8c7eb9be802fa44c326e4272fbef9e2f324c4b2f94f
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8a42901d4599b31b0d7bf8c7eb9be802fa44c326e4272fbef9e2f324c4b2f94f

Threat Level: Shows suspicious behavior

The file 6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:18

Reported

2024-06-13 06:20

Platform

win7-20240220-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvI2\\xoptiloc.exe" C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJ6\\bodxloc.exe" C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\SysDrvI2\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe"

C:\SysDrvI2\xoptiloc.exe

C:\SysDrvI2\xoptiloc.exe

Network

N/A

Files

\SysDrvI2\xoptiloc.exe

MD5 3bbea5474146f1443b5806f3f95fd43b
SHA1 9087def4de706c9ffc78aa1accae5ed697fb8cc2
SHA256 96db98ea165565ee44ffc01d61b4fc8acf2b05bb902df31a241942bd28e134ca
SHA512 ffaef28fe2e85dccc771e2641e2c71908bd689c63f2780d7772b63181e463e8d53424cc33950b9de6388af569aec4e1e67dd978caabb98a5e124890e9f52326d

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 5bd682623dbf12f1b12e24fd9368ad30
SHA1 c0a809c4bf7eef2570f8b7e4ef3c371e4e68bbf6
SHA256 d4afdb71210a26aa1b39219bccb3c3c938013b94fe0628066a3271e67cf136ac
SHA512 9fb43b479f1f8dc38e425739c8789ba724e27fe857ee27a151a9ef184ace2599d2e12dddb92aee60707503f949326b3d8ca97959bff09d08c637e4dc676bda7c

C:\VidJ6\bodxloc.exe

MD5 1b984ee2c3d927d86a22b995692b5a00
SHA1 33605b020f501f87a51a3fa7ed7cc6c55872d05a
SHA256 ffb61654f91dbfb6f3ebe637261c94e13fac1ff8ba1e23819ac71a81d4233a70
SHA512 56282df60792fa3ada2dd11330deae26d055af11fde8cc6d32fa9d1f4e4b47ac4b4a1ba520b80a2c7852e8a2fefbf331d24b3564f02dcd51ea7bd4fb22568118

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:18

Reported

2024-06-13 06:20

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\UserDotT1\xbodloc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxT7\\optialoc.exe" C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotT1\\xbodloc.exe" C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\UserDotT1\xbodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6503b76ced2c5818dfafd0e78910add0_NeikiAnalytics.exe"

C:\UserDotT1\xbodloc.exe

C:\UserDotT1\xbodloc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\UserDotT1\xbodloc.exe

MD5 0aa1f85641900ab469ef7dbf5602a47d
SHA1 40d8f9880f99b20da62f2f445fde4713e7b58a37
SHA256 429f4dc96f799c0c27f2358491cf7661944e794aabe161e86c1cfdae3dc8ed5d
SHA512 9311e3e0421e75b148f7361ef3ec6385b3c11fe425e24ee0a0757bacd4ea491384905971fec9ff88e577d362a0f1a108db75588f0d9ed76179455f591ad8664c

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 de490fa2751cc44ec20801a219dc81ba
SHA1 286bb4891a1052fc7bbc3f81aa780e08ad3d56a1
SHA256 e39cf8c8e86c5ceeb82cb821e69b82a4de69420fa2ba666229c3bf9a5cb8120d
SHA512 5f237dd2bd48afc875f58ca779b34009b74c520d5d450f72da0534c1a401afa755a152e7851b7e0ec02f99c7d854b86a71092af9e63c708a436117bd8c76a33d

C:\GalaxT7\optialoc.exe

MD5 f154b7394805b7d8634e344b52f902df
SHA1 bc4ff289e55a2ca865a8ddad7700c557a23c5e27
SHA256 0141dbdb593d7729a8123e242ee5a031b9af386a2b3eab0724b93e9ed753e719
SHA512 734a9ca78dcb702fe65c97634621ffa66df96a831ee9faafd422bd8e48b058f02364035250c90262a14ce033c1664d933a5f156535f57932619c752b8e579952

C:\GalaxT7\optialoc.exe

MD5 8be19da987f9c686dd25335d31a5ec3a
SHA1 498d05ad243e7f558a00de1cf99d801396efc237
SHA256 377d52a13f3bfdaf2216578c7350dab133620e7d8a6ab387e77ae65954e1a524
SHA512 669be468e9226faa60d0573a8f19b808e73e0d1f926625f3b7d8e83b0b99dce6b9f6a22829e7c6d7c1478e66a8853693e921dade0b38c4650e61f52fef66122e