Analysis Overview
SHA256
e52e7cd649dbef5ad74239028339c5eac006bf258e5b7c98116f91647775cf47
Threat Level: Shows suspicious behavior
The file 9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:50
Reported
2024-06-14 02:53
Platform
win7-20240508-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\SysDrvBW\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDZ\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBW\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\SysDrvBW\aoptiloc.exe
C:\SysDrvBW\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | a0515509f77f09428133b97605cad3b6 |
| SHA1 | cf3f77fd0247fcfa5dcb8947829e12104389ef4a |
| SHA256 | 553ad992338e278300c075edab8074643f399009e16b73b1e0e5c322732f4630 |
| SHA512 | 0113c6d321d629ff141936db821cb0c8bf666629e5b524e97dd6a1e7a0913b876a666aa1bbd737d7ac80de199747a980f6e3a9efb94dfc89f44598220bb97c73 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 91df04342a9453323d655acec3b7602f |
| SHA1 | 31fcb6710c364adc186c071f8f3cb77fa5b9b367 |
| SHA256 | 69d309657f5ece3548acd8ede48b34eaaf89f86a5ee84f654f87d61751e2dc68 |
| SHA512 | fc65d85988a8eccfed0b4fa170c5f43af11a034fdc48a35f06461dc4bc93e24d2505d95f9653f0f2c842065ee8871fe46eff935483ddfdb38c3a7b679f2affe1 |
C:\SysDrvBW\aoptiloc.exe
| MD5 | 60ffdb7bd6d8ee8074e418c59c385250 |
| SHA1 | 268a825e21da75c33d58509badbc738dd110aa45 |
| SHA256 | 203648e76d5b17b83f0677ec38a7a654d8da498025103a58f89a152f49dac705 |
| SHA512 | e17ff3075e6116357ced81950349739309dead39db867a864b62e47adb0dfa9f265c88771023a4060eef235fb8de443e49ca3ad35a7e7b2c75a0f597d39b4c47 |
C:\GalaxDZ\dobaloc.exe
| MD5 | 703298e1938b94b8a048722589106182 |
| SHA1 | 76cf69965dbd2c3eac9313fdd3019ef346fbd507 |
| SHA256 | 6eb1a87af8ac5230a217aacd34de88c59e06268b719fc264c44e62dfa12e7709 |
| SHA512 | 3516ce6ea8807a3fb6c010e95d8450210cb156137ce1b2c7eabc8864fd53cdf8eb31a79323092e9a8ee41dc76c1f14b645b91fb0be2ee13197dbbd875e68fc09 |
C:\SysDrvBW\aoptiloc.exe
| MD5 | abd124627cd5d02573196216d844ab71 |
| SHA1 | 58bb002cb551f08ec92c1346c6c84941af156766 |
| SHA256 | 77c5270fe5158f2619f172c404afa42dce400cd30ff1b71696d56e47fcf5f699 |
| SHA512 | 71fd953523d975d4f4d377d284d027195727e39a73526d9f5a134607a0317aac1cd47a63f9bd1ab378ad82b972f0419397f7fb60d18ae2123f718fd0b381e29f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 10cd8056eb8ea73fe81e269d03ebb1ee |
| SHA1 | c0af50510c6941f76a2f450b16ac10b41230e027 |
| SHA256 | a3a147a05eb11910596cf21749485873623306fc7fdec3a8e5256689c45f4a8b |
| SHA512 | 2e416b234eafcce57fdbeb5635cb9fe7baae1769d58b918e773df983ada9a846933ccd39e925641515be0305bb1b69bbfe638373622069f4aac474603bc635db |
C:\GalaxDZ\dobaloc.exe
| MD5 | 4cc505d5267734706c8a00b1837addf1 |
| SHA1 | e3a402b9bf725ab36864bc26886f02158bfbf2ab |
| SHA256 | 4b39b0288cd06bf2538857292ba11bc7eb2165eec502c4bd000c71d94a899553 |
| SHA512 | 2c97a11bd11950fee4f1729735e5efc8c38d2e8bc3759f635f45c1868457a0d0156d7b446e549b666d864630e6cdc3ef7646e8bae1fc4154b39eff0b68dd055c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:50
Reported
2024-06-14 02:53
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\SysDrvV3\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvV3\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBDG\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c94d2158b84017be2fb17e922438f00_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\SysDrvV3\aoptiloc.exe
C:\SysDrvV3\aoptiloc.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 387e0baf398f4846b1973eacba0a6e88 |
| SHA1 | c7fa0a443da4274ed29190c5b826f45fad57ab22 |
| SHA256 | f804ce4a04f397272841e6f044c465c1c3fb55a2a0927c3a39c57796d19920a1 |
| SHA512 | 8cf7bf4cd304d3a12e5393e96cff1380a7405a98b260380f1de8400481de094ebf313c044cb5f8d36707bb218a57ba5067df77f1292963698184d6441581cf0b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a4039924f68e6084da3ef8348830269f |
| SHA1 | 877425c97129ee4213fbd91405b705f5add6bfc3 |
| SHA256 | ae982b18348d7fc195c805c85fdcb093e1efdcb90292a115064325183ce681bf |
| SHA512 | 6f508fda04d5d3fd88f7cfbcbbae40efa5be9affff7e9e4f126d94208e44ca3760cc461aa09e72a9e0773c1b99c5b1d284493c67aaaa578d2d51743d4ac4d1c3 |
C:\SysDrvV3\aoptiloc.exe
| MD5 | 238af395720b858e0d3beac7ac927f8a |
| SHA1 | c78937b6b24b0ff86ec59935a8443d8368049781 |
| SHA256 | 7694ef2267b7ea820f81618e1ae564d15c5a9ffc86d0b2adf30c129f48a8e660 |
| SHA512 | 93af77c7aabec762a2922fa920306fc7007b9c58bc305332fa6d793bf27e95a6a6655833086044d6ed6b959b3c70b7076ea526d35c110657afcb5d91b55b5d66 |
C:\KaVBDG\optixsys.exe
| MD5 | e563fbee63adad226010ba89493b5bbe |
| SHA1 | a3faeaa8190dec160fd82e91c3883bf979353ca5 |
| SHA256 | 93430767cb027e371f4358a978748286bcd5ec9bd0c619e2e5f48cf23d1a057d |
| SHA512 | 3c282696d64d3cd988e7265f83e28f4340425f4b17a4854d2ac8f93549f850b0cb1b144083ae0dd11440730b2db79b574ec2c7df99b43412dc69d62a82a442e2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a0de8f298961e37f8a59dd3cbad26f14 |
| SHA1 | b2795adab5b52fe5f47cdb21ae0d3d7b561d14c7 |
| SHA256 | 790ec155540535f018d97f8727f1b07e5e6e3aabb9d1b03b05bcf430ae4c01d9 |
| SHA512 | c79f151b48d2ad4dc6dde8a25cadd46d3d251ca9bc8aa798f35efa6c9fa114fd6ae221aa2072623d7e67bd8b9b29b7ab4e4561ecac3261ef3b0f77d79fda63a3 |
C:\KaVBDG\optixsys.exe
| MD5 | 1c31992317278cbfbb062cd4732b9020 |
| SHA1 | b2953bc21d0bbd03b25aba4e7b3d56cc63708195 |
| SHA256 | 0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0 |
| SHA512 | a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb |