Analysis Overview
SHA256
2d75f95a25322dc84ddda401f7c23a34fabfd02274c445a532dedea2acbdf9e2
Threat Level: Shows suspicious behavior
The file f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 10:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 10:43
Reported
2024-05-26 10:45
Platform
win7-20240220-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrvXF\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXF\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidT6\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrvXF\abodsys.exe
C:\SysDrvXF\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 3f8d8fb734e378cb7d375aa1c4fb7db6 |
| SHA1 | 39714a73b8889424cf93f5f86db9a7cc83b9e7a1 |
| SHA256 | b2b6039ee683f0db5e46b273aca3ecb59e306983a975f186030890583c18b783 |
| SHA512 | 17105fd2b3c1b92753499e286ca306fc05b20fc1e630c92a1cc0a3b36b0b007a4e6a2eee7e515b48fd49a3d834cbfe071920da19f29d97ff219a5144c0dc254e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6d949a9b3899e7a9ab231041d70a9080 |
| SHA1 | 9097f87cca17c84b4704ead3d12606036271d09c |
| SHA256 | 0452084b0d44972f4623cbca011dca6d01e0300d5469f5d3c985b4ee0b1c31fa |
| SHA512 | da7f6e86fa077c69657121fcaad9198b0add42dce6f1d0fd362f28ad200219c91c6d6e7f2f7da08c9e204fabf3a9afa61a37a7655c1e9818c48438cf55a8e3ab |
C:\SysDrvXF\abodsys.exe
| MD5 | df7fa9e729488246ee0425f921c8fd36 |
| SHA1 | 65591321bf1615113575a4434ff329b861066628 |
| SHA256 | 5f9f0e1f768d9deda245eca5fcfd6f401bb8c60cf37295d8e6bc1b9c66c9c365 |
| SHA512 | 4fcd91e6b1499a9657c425e5c1deae95cfca5946dc851dd4da5aafec5f0cf7d6523afaf2bd1d67b823e68626b4eebc228405862cf4e2e5f9cb5a49ece86a684e |
C:\VidT6\optixloc.exe
| MD5 | 220e15dd5527891136f5faf5db678d45 |
| SHA1 | 8965bef77f13d4b7efe541f0da6f6daea3d2325f |
| SHA256 | 0159d71873cf5aef7e2d54b3ddc49c1440eaf5b9ae6b5ab060fbcf32b88a40c2 |
| SHA512 | f0395c1039bb818a89a8a376cabf32f0f01e2f7dc9251411b1f42597787ba84f4993753a7b9f6b0c0115e705c4f6d5bb8ef7d9630fb605b5b51a145e44e906a3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 461c8d513f979b1d4ddb5d7d1ad6cd48 |
| SHA1 | a1058425371677703145eaf38aed7815a5910cf0 |
| SHA256 | eab40afde7367658717a9e8051c047a52df1283db672fc081ac87e20173f355c |
| SHA512 | 82c3ff71bcdd1c3c205bbf0a7d3293c0e7fcdfe54b430c331eab2d981ba059a1c03c98b13364d39565c8d06271d9dbcba24f6be2d0d5cb808ac878042bed3641 |
C:\VidT6\optixloc.exe
| MD5 | 0fbb3b036957b6a87448dee9c81ff188 |
| SHA1 | 385b34d6bdaef7c16f30afd8852420094a0c979f |
| SHA256 | 90e2676b0a1da4cfa1e1008da4ad87401582cb3fab109f8a57a9789ceafab159 |
| SHA512 | de9790f480db055e2e8170e25df772b9b594f0b52ef59248b1d5651540309e245c240bd6159fccef0c90d61f19c1ac154123ae91e94c92f595cbf2cd5990b7c7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 10:43
Reported
2024-05-26 10:45
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeOA\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOA\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6L\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f5136e16d689d43ffc49dbf8e94f7f40_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeOA\xoptiec.exe
C:\AdobeOA\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | c4effd59be91ae5f838e5f1a30de3caf |
| SHA1 | 77e8a75508cb7dc1b6d7db3ac1cb8190c2dfd13f |
| SHA256 | 321d70efba9f8acf1f552313cb6e23e309cbb0f2d6418e861b865b939c6c607d |
| SHA512 | ac827f9d05e7b78d510bdfb1a651cfde84ea0249002902bbed8bb400bfc34bdbeccaa7d8cc3b0de7c9568cf4348a89ac7fc49f565d3626f28adb1223926f6b39 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 93f241b3d14f79cd1b71132985f7e952 |
| SHA1 | a1dda9e14ebbc7c8403013471bacf026189989b2 |
| SHA256 | bcc6c96e9d11dc083fb3276a6c732c65c6ef55d29498658d4fe96725ee9f9a08 |
| SHA512 | d41b78a33df75e59c7f3736c8d86f0aee5073b1cac861fe4011115ae1bf0ee04f1836cfaebc531806fed6cc6da735f8412cdb1aa68db5b2d6edddd607dd25205 |
C:\AdobeOA\xoptiec.exe
| MD5 | 20e1191a3af7f287cc2a2eec1935777e |
| SHA1 | 2a2d1262a48a791d746410752856b61f24125083 |
| SHA256 | e8e67342b6a2d59e5863f3665cc59fdda9ad41766b310ae49d2bbc73f235ec69 |
| SHA512 | 43065932170b8afcc4e88062e1a0101e7f007b98418e7c93d27a990898579d2d3822f54eeee28620f1ffa7c569746902480b23c60bf5977ac2b00738949f8434 |
C:\AdobeOA\xoptiec.exe
| MD5 | 81dea9c37b017da3f684a6b9efc4419b |
| SHA1 | 49c0dd12ccd7cef38bac7c83985675933ba9fa4a |
| SHA256 | 332d648a9e3a13b578870cc9864b202ad5928edc9e4311121dc966d6a1856f58 |
| SHA512 | b86954210bb81909f92cb890d7d502000891065bd5ea1febae30bb9d07a585a8f2ad4499c5a3390dd9dd3eb7a9a08ebc6919e9b3e57515df55d5c4fd21ae1afd |
C:\KaVB6L\dobdevsys.exe
| MD5 | 2993743e97101bcc2692d14a9df3b0ac |
| SHA1 | 6dfadb8e5770f049f1ff6bf105439012ad76cb42 |
| SHA256 | 57805ba6bb90791255d15d49daf1b3641772b7d4d19babdc1e0bee563385c1be |
| SHA512 | 2b18954105ebf5fa991b2844f7a09bc867b44441c8cabb386ce9a7474d28f0d9f3fa4ff09aea02d6bb96a5da288480a1f05a138e5c4c32b18a96c6a810645dea |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f9d8a8e62ea17d2f40c805dce1412989 |
| SHA1 | e00171ac785d929693aea980be66e1f23aeadf3d |
| SHA256 | 8d0c39a257356ff9f753d081439d05e9f138ed03701e6038a37f5e35525995bf |
| SHA512 | bb7572f691ec6fc2a6eb2fa763da3bd33eed12a68ba29edcdc35b3ca0c29fdd07fff9f7b7e788a1b744cd136ddaa31d724c50a6903b959d349224fabcdfd03a1 |
C:\KaVB6L\dobdevsys.exe
| MD5 | 8fdffef8a19ba1eba75a253463f3473f |
| SHA1 | 413d88322e499fcd9d00243592494f6430103f33 |
| SHA256 | e8c073d7e4b8184059057ddd8755dd60975b8368a63ef6aa01af346077ddc6d4 |
| SHA512 | 82ddb2e1c41b717a287a70ab7e75c720c5d1835b7ac12544ba63b40563eabb116e46af341fc873ad4f1dc6fec4574e6d571864cc96db4a15d81b923a6f5a6931 |