Analysis Overview
SHA256
60d45cf36c25afb59d0ebcf196c64fc5e96ed35c156f6dd3e4809d82c557f48b
Threat Level: Shows suspicious behavior
The file 5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 03:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 03:16
Reported
2024-05-26 03:18
Platform
win7-20240221-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\FilesRA\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRA\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXE\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\FilesRA\abodsys.exe
C:\FilesRA\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 185562596455c1dbbdbed46f8dbbefb1 |
| SHA1 | ff7859ab6a1e81909c12cca63b575ff51ed3207f |
| SHA256 | 73dabac6fa44f4beb2a11b19c4f6cfae1c92bcd9a1d61ac88a3c174938d48a88 |
| SHA512 | 28199014896332bfb774b97d98184a506541eab97c16aa1fff1beba0b53a625577a64ba8b8b35e3843e6cd5717d26532da3a0fd67b7e9e97d5abd661f2f5a3e3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c706d8fc597fe10c890258aa03e4defb |
| SHA1 | fe071da16802a145314d8e17651331a8c24db21c |
| SHA256 | 1e648df8b1c4135728772bffc527c659e3849989fd90dc4259744931cf284bee |
| SHA512 | 48afce71354f094729144ad638db74c318f314c08ed4425bc8e15e53ec2d4b47d9aa3798c7f860e63dd761a9c6ad9b732426b063c03a37a2b40a7ae3b8de1d38 |
C:\FilesRA\abodsys.exe
| MD5 | ec55c202d21f238a14572e7a890b631b |
| SHA1 | c388f76fe316d70b37eaa499f1bb6b18cdfb6fb8 |
| SHA256 | 730c45aa477597028916fa943dd2efc93aeac391ef76fdabd93bdde44991b995 |
| SHA512 | 71cc167db8bd70b4d50c7ad5966981e8ac6fd98981ca973257702225806377dcd73b73b725dde85302996f630b4714bb78b885f8104d4f840e94435145bd56c5 |
C:\MintXE\optiasys.exe
| MD5 | 5aea361d614fc982dac8a3c1cf7b3de1 |
| SHA1 | ef4100fe78c487374af00a8b0b260dd6a64d8708 |
| SHA256 | d180fe16debb3c2ce2c7d5b4d7214a8b2f3646c68ec3537715f2ad8de3159441 |
| SHA512 | 9539bf24d683331d2c6335e38c4ce277ec4162bfd397b4d7c55fce8dd80de8cb3d5f2f5c544dd319b6b99b43a3d95759a4b98d0368cecb17edd38f83ec7519e1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 837d8d406931c19607f7226e1718c8bc |
| SHA1 | cc6aac10c1e74a6496c10f604569bea449ba7c58 |
| SHA256 | 118994c2b7dbdab71413348bf940b25055092b9fe694ac8981706bae22e63db7 |
| SHA512 | b1e6a4371b68f472617b4f29e1cc58f007708f94dd331373b985fbcaec9cb09f13f177d01d8d1f5097d5ad6628f6b46f6326a49ffe41cec0a4863aa723dad1ad |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 03:16
Reported
2024-05-26 03:18
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
132s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\IntelprocD4\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocD4\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB77\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a23077e9e58a3b323a0e8b90632f9c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\IntelprocD4\aoptiec.exe
C:\IntelprocD4\aoptiec.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 7b93a4e66fa3765d938db7bf837cff7d |
| SHA1 | 810688040286ddb14d6ec111bd4cf80ae1b53003 |
| SHA256 | 6922f3c7f9cdefd8c5cced8cc00f0ffaebea77a1d762c6db2c2f1172fa646345 |
| SHA512 | 5ddb060f6d12568f314f097ec6b775f0aa0ecd0e7ebe93e9318363a587c0f371bedb326d449dce5ca86097b8ebaeee525dfc5370f923835ac6e20fe810f0c3ad |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 299cbfc1d6dbb17153d90037a7e50fd9 |
| SHA1 | 19a09fe29443829899c60043efade80403ced503 |
| SHA256 | f020577056b04361884dd821bbcbceb350399f52414ff86ab416d6f3cec56b1b |
| SHA512 | 17d3895812744ead222baa9e3f75f5824ab4412a4f61d573303db38e4ebacd8e732d3a2d176790d8bf89d1b407f6803260088b9509c969187e0c9888469aeebe |
C:\IntelprocD4\aoptiec.exe
| MD5 | 846f420d2ff4e271aaeb2dfa83826e75 |
| SHA1 | 8658064734b3a41f270b9605ff38ca279fe44694 |
| SHA256 | ef96f4202310d3279c44697c1c9cad315fb83e6cf34915f154205187354c3059 |
| SHA512 | 42d700b9748049718af6a0aef42d90467ba33628ba45ebfb5ded1f42442a7626073d502351ed355210e1ead2054e615c43b60bb135b516cce93c99208806d5ca |
C:\IntelprocD4\aoptiec.exe
| MD5 | b51798fdf62b5466fab42bbb393002a0 |
| SHA1 | 5541ce2c9c1012f46a83ceaff7bacfb5ab408bd6 |
| SHA256 | 1ec498d01fdc3527845b07a1804651e9c6286ccc74ee3e5a6e36fd0252b31f09 |
| SHA512 | e918c938b9b24f10b530dd17d7c3e844a37b5af7113ea4b9687d7647f73597df0f2d8b7887a7f25cddfb56014d8c40ccb559b192fc2f30caf448c024282542ed |
C:\KaVB77\optialoc.exe
| MD5 | 3d61f5980a01c44e89ca0990aa7c62e8 |
| SHA1 | a089598220eb5b0d94aad429acbc10feebc9559e |
| SHA256 | 55110208d72f3943be9d8bd5154f66b3059c7644b9bb47e9682c7b99751bf6da |
| SHA512 | 080ef59b1e1e30de263408c885e06c71b302f24adea3e9bd5e9bcf92b4b31cb82cca5ef396b55dc56db8639b93dcf0ab53a4c881483fc5e7cf6bca05ef4d4f0a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 673b2dfe0636b8effc34f00dee2ad33b |
| SHA1 | f95329bf0d1f7e3f40fb42873cd621523c0a2545 |
| SHA256 | 2c18e6483af92afdcdc3db4793a383e8aa3ddbd5425e8205b6145a0a2df1f5a3 |
| SHA512 | b0376c2c3e2287fe76a0788d3840618ce57fc3f608a7b59fde241a4bec24c44239f60d53c7cc6e697c9c8c5f92bad57b8d28c28ec7dd036ac353e8ca5a7d1435 |
C:\KaVB77\optialoc.exe
| MD5 | 03f0c6a6fe78e5bc7540c9c0acdfe667 |
| SHA1 | 73e6cb9b5478d0fb1f8a6b0326b7f0c1ae71de50 |
| SHA256 | a303a059788bcf9842c86e9ad1128c90cb808e9363846c03db5b6c959b8de4ec |
| SHA512 | 8dc59c53d532d5b88a5a872a2379f9191298fd5a66901c3b1cc555db3ab9421abe7b14c91fde491c8c63ec66be72306ab5d6c0bb4813e974712dba8449ad7410 |