Analysis Overview
SHA256
f0b1a3da5db0f9783fa7b583eb8b32450028fc4216b3cd107367ec3d8c714460
Threat Level: Shows suspicious behavior
The file 5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 03:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 03:17
Reported
2024-05-26 03:20
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotLO\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLO\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZX1\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | C:\UserDotLO\adobec.exe |
| PID 1368 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | C:\UserDotLO\adobec.exe |
| PID 1368 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | C:\UserDotLO\adobec.exe |
| PID 1368 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | C:\UserDotLO\adobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe"
C:\UserDotLO\adobec.exe
C:\UserDotLO\adobec.exe
Network
Files
\UserDotLO\adobec.exe
| MD5 | b5c6fd7d2c0a09a7032ad55ed05bc8ec |
| SHA1 | c77bab7052262ceb9b8473a88fc6f65f27116754 |
| SHA256 | c7cca1f5c1cf1851378baa6f60c543f5b93a9afb7508fe4b2a7bb6d393d400af |
| SHA512 | 7901456a6626577c20564d602395dcf4a8423ab806b0ebd0bc5b37af44fcf14eafbf35ad117f1ba5e3dd61df3befa2801fdc17f9ed3a58fc586b628d91abb8d4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0a7a707d2d178c6d82c4fb8e029925d5 |
| SHA1 | 049a81d69e40b207c4dfcdcc8fb1d7750c72f1b9 |
| SHA256 | d19a1e51214538187c712bdbfeb0345a88ec7ed5f0f0d7ea46bcf2ca4b06840d |
| SHA512 | 71754b24c86c2f077a1f0f1aa9cc90f814486d9d67e3c364caa42ccbb0b7f017ff4e69f6fd994fdc2aad1a3b44699c7066dfc87382ae44c632775e2b6a94cc52 |
C:\LabZX1\bodasys.exe
| MD5 | 563fb2603ff748c39b99d00d5cafda17 |
| SHA1 | d39da2bcb40eaa19a775f4a81b349c731cdd0161 |
| SHA256 | 2b65882c8a589c99bd7efe83c08bdc4eedd84570d102876388fb8428ff8c6d5b |
| SHA512 | 803086526ba0b182f700dd63e9ce02d3d31da3ac781e37867a44168ca2f569538c58747d0c0eddfcdbb4128beffc665b005557aadeba9f6468e0e028298b1dae |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 03:17
Reported
2024-05-26 03:20
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
99s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotMX\abodsys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMX\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax89\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2216 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | C:\UserDotMX\abodsys.exe |
| PID 2216 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | C:\UserDotMX\abodsys.exe |
| PID 2216 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe | C:\UserDotMX\abodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a4f682610a95f7168075b335e8686b0_NeikiAnalytics.exe"
C:\UserDotMX\abodsys.exe
C:\UserDotMX\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
C:\UserDotMX\abodsys.exe
| MD5 | 1e9cebd6d48111986b394d26f31bce30 |
| SHA1 | f06e7d8a88483771022be0cc30dd61e2f12de666 |
| SHA256 | 67fe6582945579bcf01ce6f99285f1352adcca4f4efcaacbc4e4d21db14b1d42 |
| SHA512 | 3a41cb83e672fe1b8e380d614cce11e8a5d279178eb6b25d2b391ce67b5450e7305bfb157e529c423539812bd89cbdb9f9cc65c4ebebe56b585e28a335cd9877 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5e8e6b5dc601f638149765771e5186a7 |
| SHA1 | dd79b37dabc259b5d969bf3e7110830791115414 |
| SHA256 | 2a045990f6d62dfe434dc4f1e0f5d2d4ba82e87a54e625b2e876becda60f4c2a |
| SHA512 | 681c34c5565720f116053cb8e949a7c25a78c0c68b64ef6dafded997097f69ca84824624fc1acc408fa67c0e21d60a5af5c50337a3cdb5eac1bc2c0f87a286e4 |
C:\Galax89\boddevloc.exe
| MD5 | c0d87e8bc455f716231fd060c9bcbcca |
| SHA1 | d77de701691cf0d2305480e5877d5bd06ab564b5 |
| SHA256 | 3c926003acacae5acf099a47b1bdb9c503af4cd5f604f1e732b4d25763ff4036 |
| SHA512 | c7111acc6402bce72edff1e6d1b5fe8e902415e6a70fbc0b74b82309f236ddb7b34bbc4acfaf14b5ecca4854840f62cb703bb2c40f23dbd0e293e18cb67450ce |