Analysis Overview
SHA256
594ca98ce639d615e87928f8e2a478441d5eff1df9970a2adddf9acd58400fb0
Threat Level: Shows suspicious behavior
The file 9a825f8356f5339b568c238223480980_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:16
Reported
2024-06-14 02:18
Platform
win7-20240221-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesGF\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGF\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid77\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | C:\FilesGF\aoptiloc.exe |
| PID 2180 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | C:\FilesGF\aoptiloc.exe |
| PID 2180 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | C:\FilesGF\aoptiloc.exe |
| PID 2180 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | C:\FilesGF\aoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe"
C:\FilesGF\aoptiloc.exe
C:\FilesGF\aoptiloc.exe
Network
Files
\FilesGF\aoptiloc.exe
| MD5 | a4eebd37bd8eea340ae139c941d52391 |
| SHA1 | edfa488014d4a7d95ec1d09fc4f67019b16229ef |
| SHA256 | 7f4f424f09ea353e2a835de87067db58b447cc9051b69247028bdb4e79ca5e9b |
| SHA512 | 476241ec0fc9946c3186b36c402bb141c3ad5c35485988ad319e24fd0976b964e2754d1e26d901a1af232dc60954ccf7d4c2632d506197b73c73bd669c5c5bcb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8535ca058270bd58eee808cbd2861a39 |
| SHA1 | ad8930bd4ca166d34efbaca40ebcf2196e689a88 |
| SHA256 | 2da1ce86f996f1c268e9cd8d74b0e8ab57b2312344edd7bf10d6a04e02e36a64 |
| SHA512 | 27f801f30ddd4a7daadf5937b50f8fcae69d5f74de64078626c6552cc60de4b2d11b20e043a8473b64126e209d27c08a2ab7f1a06fc429768b8ab5b9e24be159 |
C:\Vid77\dobaec.exe
| MD5 | 9d4e4b81a48452166a3ad1ce264a9a0c |
| SHA1 | b375e44a5844f48780c3118961372d6730db998e |
| SHA256 | 85456d9b2fbe8754f65c6063151a47fc5de4b98bec67ea319129ad7eefc0e836 |
| SHA512 | 80fe0997c7fedec2c4130055f3da616cdf7521e825403aa4ca37db2dfbfab2e9aca018b58c33d0930a571b1aa8a0c5e11ef9da47dec61817db802e1ae1741fa7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:16
Reported
2024-06-14 02:19
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocKY\adobloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKY\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSA\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1856 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | C:\IntelprocKY\adobloc.exe |
| PID 1856 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | C:\IntelprocKY\adobloc.exe |
| PID 1856 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe | C:\IntelprocKY\adobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a825f8356f5339b568c238223480980_NeikiAnalytics.exe"
C:\IntelprocKY\adobloc.exe
C:\IntelprocKY\adobloc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\IntelprocKY\adobloc.exe
| MD5 | 55e77fb57e82a909f1dedb5f85f4ab0d |
| SHA1 | b726c2386a50586fb1fefc66af63073f25081823 |
| SHA256 | f8e4c968c62f8fa8fe6332e3c35b047f70c1a46703ffb6f607f9f372f6e955c8 |
| SHA512 | 3d68d64690a8daa21ef7add91dad4cc0a14dae5c314b82697a9f26c624d4a2432cb05fc8ae8b856b4419dc9bd9dd421e5e8f2dc63133acf772080867f5f5396a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 027b2620862832b1d91eec250df6f13f |
| SHA1 | 1a8c9a795effe0992440444e2ba01eeabfe75337 |
| SHA256 | 74a31121c605f6c6a034f01fc740bd40d208e3f98107590b96e90e482d6f3de9 |
| SHA512 | 70e4642aeb7462e3778d28b14308c4d9d8c6add051872319337a397240ae49415a240a163912036e446664aaa7a451bb4cd42b7ad4539b81e7b9c72d5f00245d |
C:\LabZSA\boddevloc.exe
| MD5 | 58a9f25d47039b127171114523fc5d7e |
| SHA1 | 796a266fb6757906153e9bebb5a06cb5aa88882c |
| SHA256 | 4fce4e22b270a41b13a0d9a7709f20bc67fdba63676cf2f9dcb4927e67c1d16b |
| SHA512 | 4327665b4f4a870a0e71b1278d1d2f8adcd5e0285196c10f0ce87148dc63fbfdcbddc6a9e7cb3c70b7d97ca15d1403574a33760c01124ddb53462048127af7d9 |