Analysis Overview
SHA256
754c080edd00c5b98054c0e24327c4f57210c82a227f796894fe940b2f1cd154
Threat Level: Shows suspicious behavior
The file 69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:37
Reported
2024-06-13 07:40
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrv9M\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9M\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSX\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2140 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | C:\SysDrv9M\devbodloc.exe |
| PID 2140 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | C:\SysDrv9M\devbodloc.exe |
| PID 2140 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | C:\SysDrv9M\devbodloc.exe |
| PID 2140 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | C:\SysDrv9M\devbodloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe"
C:\SysDrv9M\devbodloc.exe
C:\SysDrv9M\devbodloc.exe
Network
Files
\SysDrv9M\devbodloc.exe
| MD5 | c384716967e21c9c7aaa447fbd6114dd |
| SHA1 | 78f94c74eac0221f23ebe1ab4992aecd312a377f |
| SHA256 | b273fd702e209fc5725fd4472e6e8cd2ede28b405807967c07b0be7538029b9a |
| SHA512 | 948e3af733dead1cb386c59fd349036d56c1986e05fa8a14e9a80b1aa19653d430458e40d05479eec7e302c711f40269c83315207533f6d8831b997473f7d83f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b7eff09f91abd1aaff9b4711c489136d |
| SHA1 | 43a87a2bdfbab7731fdeb94457d010b172e01c0b |
| SHA256 | ce2be07f8bf0ea70aed9e8bad588020003bf3dd950ecc995b05c56aa0a063cd5 |
| SHA512 | 74ebeceeb3a30bdc363bb70e162f097927e9241a19f413b3e860240e82f89ee2665943a3fd1e35128c46a883b015712b6269141acec371f688afc54bdcbb86d9 |
C:\LabZSX\dobdevec.exe
| MD5 | bd6e0936e1675b85849a7b7771cfe4cb |
| SHA1 | 7386b65e0ccbe4b0c8a68f02dfd457f046404227 |
| SHA256 | 4979a275983931491f9aefdbdc9e8de6e9ad79b550cced5dce7bbee8fbbb483c |
| SHA512 | 7fe4e29e0701f968b2a471bee68ee3fbe746426d9a153eb5c5dca754c022349302677996b11d32e580a645311c22491eefdb34a7082d2221219a64c46c114c7d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:37
Reported
2024-06-13 07:40
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesQ0\devoptisys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQ0\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZKE\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4436 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | C:\FilesQ0\devoptisys.exe |
| PID 4436 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | C:\FilesQ0\devoptisys.exe |
| PID 4436 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe | C:\FilesQ0\devoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69bbdd449ed40e0c8f7f1fd845e74cb0_NeikiAnalytics.exe"
C:\FilesQ0\devoptisys.exe
C:\FilesQ0\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\FilesQ0\devoptisys.exe
| MD5 | 33490ed6f6ca55ebbc4128717fdeddcb |
| SHA1 | 3d865196c7bb6504c07ed81b0215a1477b18b466 |
| SHA256 | 99b3ae289b1040f27fafe7b0dc5c49419e5b3eb8779af608562a79838f39f340 |
| SHA512 | 39dbff15ea058571af95c025d8804c53e063592ae0825f606f93c2101d554f0cb0871ef5befca3edc282bc803a172e3415fb6788f2941f16a06be6dd81cb2b6f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 22a72e3f50d5df1eee7c3b69cd076aac |
| SHA1 | a04fe6c0c23c7ab4e83138375b95d60fb2d9d9c5 |
| SHA256 | cd5aac5d87c0eed852274969db1154a00c6914a007da1c38f5abcf38a11bddf2 |
| SHA512 | 27f9bc1c8d87de730d6daf13b75550612a49806e72fe8f9c97c31789b9408c5927ca815de9f7b6bc615d7ea4a4bb5e4b1516be3e32523d9066ed834a14e25460 |
C:\LabZKE\optidevsys.exe
| MD5 | ed2ae2ba80a2e62d2672adfedd0b25d9 |
| SHA1 | 81909433f39fef9f6c8f3b740233d5896e12f3e3 |
| SHA256 | e366386e59e4b8f17c626abf9944d60e0c0ffe38ecc4fedcd03d7817dce0aaca |
| SHA512 | 1ee4605187de0f8231831bebad8222fd6bdbd46bb71afe59f4c15b3d5c4117464fa64c90bf9fbf36cf4325481af381349217ac8a43f026fcaa4106e98180bdce |