Analysis Overview
SHA256
e6ed7ff7e6e8cdf897faf9ab9e94e6d5d7fb2523d0feccac1ffe68bf530244bb
Threat Level: Shows suspicious behavior
The file 9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:10
Reported
2024-06-14 02:13
Platform
win7-20240611-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesFR\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFR\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7K\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1784 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | C:\FilesFR\aoptiec.exe |
| PID 1784 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | C:\FilesFR\aoptiec.exe |
| PID 1784 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | C:\FilesFR\aoptiec.exe |
| PID 1784 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | C:\FilesFR\aoptiec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe"
C:\FilesFR\aoptiec.exe
C:\FilesFR\aoptiec.exe
Network
Files
\FilesFR\aoptiec.exe
| MD5 | 88d91aee778b8c62d0431e6e55a39c6d |
| SHA1 | ded1546a038526cd258a4b6f97f43528f0472afb |
| SHA256 | 8e22f672035ac5fc2a8018d29ec3e64785bc2388c8476b7e77b48ac8710fbb38 |
| SHA512 | 082dd0ebba323816dc2b112724e98796267b3521676a8ff2fd4a98e50b0a4607bee4525b38d9996e35514db5fe38017e08ff0d1a7df7684623d1a125890b467b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9285ca96eae2c2d2d1dc3014da658e48 |
| SHA1 | ab1bbd2185912f7f7e510a4391feecf65d434c7e |
| SHA256 | 022387f323bc3a5b4d29ff79a2e9672dc34d34f5c5594574d0043ed693b65b4b |
| SHA512 | 591f4f1b1d6bea138edc32ffd78154537dcae21a02341e2084f2054578b617f3c43d22977036633ddfe96ecba5df7ec7911c7e1983038d8afaddcbb390b28282 |
C:\Mint7K\dobxloc.exe
| MD5 | 8d2c0299f02e0a3cd6461a5b67e4a765 |
| SHA1 | 52ece48c8d47c2aee16a8a77868be394fb0e01f4 |
| SHA256 | 602cea493eeb5ff9d63632290288e40262c39c1f9e0d7965f60a1e56ac621a81 |
| SHA512 | 50d580da97d967a265f074ceb4b0e22b4b964618e8b395e2d8528fc29895bcd2c4b740e1680759bec22b6cc0ecceacac405dd739efc865336e2c58d3d7fc4d11 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:10
Reported
2024-06-14 02:12
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
96s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeDO\aoptiloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDO\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB67\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4192 wrote to memory of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | C:\AdobeDO\aoptiloc.exe |
| PID 4192 wrote to memory of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | C:\AdobeDO\aoptiloc.exe |
| PID 4192 wrote to memory of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe | C:\AdobeDO\aoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a2b378107a14fee32436a6dda4579e0_NeikiAnalytics.exe"
C:\AdobeDO\aoptiloc.exe
C:\AdobeDO\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\AdobeDO\aoptiloc.exe
| MD5 | f26770a8fabab220540a33886c05513b |
| SHA1 | dde7fd5dbc4fcc5e5987f39ac6d7177cc64b770f |
| SHA256 | b9a4c44d67e2caa5a08f2c63125b52ad9e21d4519dace84a89c8453a9916af73 |
| SHA512 | 539e69e2e739504ceed3d9fa687503b44247f840e5fd2b3e6f02c0d295448b3828221ae06754a4551247d42a8d085bf417af2a53f610c7644eb486d6ccc3a247 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ef92a291add45b890c13e2e2c005df48 |
| SHA1 | cba3043d3ec9953b7e4cedae9e701ccb575940ca |
| SHA256 | d4eb11d31bda17ad2e24186476cec9991a8f7a28494e47c3b1a3f97787a162d6 |
| SHA512 | 3ad23c5ed6ed70f0b8edb61738c75fb5ef1e427efde7d0ecd431aca7e10b29f79df019848b8d6e8d10602da3591580b65d67d82df834d151339de49b29ae3233 |
C:\KaVB67\dobxsys.exe
| MD5 | b769622e9d2dcc5d612cf10ab0096c3d |
| SHA1 | 7ff3fc9610581cf1736b276d9c9e19003ef817d5 |
| SHA256 | ddfef6fbd190da7cd13f05219964680ba161764bf8aaa65e0d5916fafc8dbcc9 |
| SHA512 | 65dda2f41a6622ff4fd7c5d6efbe97c38720c217485af2e22a57f307c18074344cad053a210e5aca2b0b24909ba4a09619f99eca2d65169046befa6bc9973c11 |