Analysis Overview
SHA256
93f7111af91cf56c3770d5c7157fc88349c2ba835c005994a5584b3e39742dff
Threat Level: Shows suspicious behavior
The file a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 06:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 06:34
Reported
2024-06-14 06:37
Platform
win7-20240611-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocYP\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYP\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHN\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocYP\devoptiloc.exe
C:\IntelprocYP\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 13d7621a84051f02a7daa0416d516d84 |
| SHA1 | d525fe8a2f85c824108e8967cc28356de9920d58 |
| SHA256 | a5af0bf24ba04ff161087e5db411c1c7b5297e2f392aa48e810a6aa0dd86779a |
| SHA512 | 044d34ab27741a940f01983756e593deab1f17bad4af48148d35dd9df6dfae33b8598b5499458449b51f3790500160d0bcc7b8e7c9d3b78c7016c9f15fa28bc1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3f3ff306c0ab1c4f5fcb5da6bea215ea |
| SHA1 | e9cd23860e4c4a0846bd67e4afbafd852d4f1e98 |
| SHA256 | 8d83b1c55897ae66d81a8f5d710144efba579cac6a6f2e182220162564916da5 |
| SHA512 | debfc7fe0a57af7076b057054e49bd733a71bd010aa9ca45b592d8582e7239bfeda099d5bccf2d55a1d0244ce0cfd7ea97a81b835713d82890a3bf9a044344af |
C:\IntelprocYP\devoptiloc.exe
| MD5 | fc94266a483b2103f13e9c5594646327 |
| SHA1 | 4d916522f9797adeda56243878a03a1e804dcc5a |
| SHA256 | cdee1fa5a596029fb01191882d6b75f3bfc77e87ad06ca8e6fd24b13316d11b6 |
| SHA512 | 4c98648331b65dfe291f0ddf34c61e72d3426e00b17ab1fd7dd3f459c1f37767523ac968ed618b8edafe0db325d85cfb268f70fc600ada0fd9fcfe721d6d00a7 |
C:\GalaxHN\dobdevsys.exe
| MD5 | 0e41a2f1db29a6df6d766e8b6b04c530 |
| SHA1 | c12d7c0e153189cc98e92091749be82fcfd06a14 |
| SHA256 | a509cf2011784f90730a6272b03b508dd053b8b3bb402153096560cb884856cb |
| SHA512 | c5ba1700dad048e182ebfae6370a3fb6c1424134ccd9a5b3911074af44e47038519a437ad1967b9aba0356f67041d8476b7aabdfa93032cc2ca5b8fb2b71cfe9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1558a67c632cec54c67bcae80b433c8a |
| SHA1 | 12aa1ce76f5a470e35162db1ee8e3b11d9e3fa37 |
| SHA256 | c3d564bb89082e4e7ae9024078441e7c8dc78bccb8cd1c038839b6e5a93b929e |
| SHA512 | 38e048f195a0d22342dbc11f017ccd96bb0a151a00e5a455fb5504079fb41c6a1848d89ddcbdab301f000ebf15484eb798bd842445d6c93ae0891cc5600a94e3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 06:34
Reported
2024-06-14 06:37
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\AdobeBK\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintN2\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeBK\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a9a0ab0dc7c381cf0e7cde347744dee0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\AdobeBK\devoptiloc.exe
C:\AdobeBK\devoptiloc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2104 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 142.250.200.42:443 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 9d857db16d7d3271a18b33b482d21685 |
| SHA1 | d2b55723d8fac1550b4699d9326cbd2af766f84f |
| SHA256 | 63d0d7c7e08be41f7b4bcf5efe39403e4a093b935571d52b54d046f0ad9612d0 |
| SHA512 | b17719785c3e1aa8f781cc4107ea82fabab6546fd94a83dc484ed9cd6c651ca862f5ac6f048fe8057ef85ba1a32f2da5117a32bba74749a3f11acc278a3df941 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0317cea5fcb62379668e3c2f42a4bc00 |
| SHA1 | 7d5e8b75f9d393009f9330283a1f3ab539afb4cd |
| SHA256 | 850e32fce4b1c853fc5c4374f81c5fe82622349a6331286b0f05154c00264205 |
| SHA512 | 5888d23f914df8029c21da2ef79de5d39d97798e999f4f673c55b575f246fbc41d6094d89744bf33aedf6d57d4e646341045fefa20097269d641ed53b11e8219 |
C:\AdobeBK\devoptiloc.exe
| MD5 | 28107855d103d795c85ac0b0ea481c20 |
| SHA1 | 4749463970230c3297077892e5c7aca7a75a01a4 |
| SHA256 | ebfd6f25651f6c1a42ab0d98aeedaf9d58fde24a64740390ee41d51e363879f8 |
| SHA512 | a98a2277bafad1022c05a154cce461fa1ec9c8c7dbb79029745326d229a40b36a76f5ff9fd32c55d10c53e4010b96094c83d5cb95b09fc62e2ea3337cbaf035e |
C:\MintN2\optiaec.exe
| MD5 | 6a8071c169dfe545b41f7a3747179318 |
| SHA1 | 1e4ba5fa28e25f27220966029224fbc740dca595 |
| SHA256 | 08ea73006c351eba5f86fa4f17c1474e173fb746333aa860c0d6b1a4e1f9b1cb |
| SHA512 | ac7b36a76dbfc73ac0e927d9bf84993685b8ed3e617eace76999e92881b3990fbed9307e1dc80e4c815a978ae696c87849a1f9e12a635477de96e110193b79a2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a88c926d02bea122c199b9288e0456a0 |
| SHA1 | 5131cd3a19254e7bed79fde58b98dfd5bc5bf47e |
| SHA256 | f4bc9d996485791451cf9c99cb55e5a8230af0141667d8267f69184ebdbbc37c |
| SHA512 | d2f59d4ce1c10d73be76dbc30d39074fac115b89e82a0b56eb6e49f9b554890f5ea85ea025061a0db99c1bbba6b7853955a628077dd50e7b909950b6f74be4bf |
C:\MintN2\optiaec.exe
| MD5 | dc58dd3ee81a92e4cc4cdc3487454a41 |
| SHA1 | 83d5de561db3a1055633b48640576d53c0e24a31 |
| SHA256 | 5cd873f9efcef9f830416ddb83b3b1db3ac48de0cf6386de1ea1c34decb0ba78 |
| SHA512 | b3ee0fe9b06964a86e04cfdf211bfd123a5ab6f1924591002574e8389017e9f6a28335600dd549716dfbc4d69d872199068f133f3af24d32ac61592ce1231f30 |