Analysis Overview
SHA256
e946698f73192c13925f2b81f24645f4fe7fcb8bad5b582fbd91b2396c898421
Threat Level: Shows suspicious behavior
The file 4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 07:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 07:44
Reported
2024-05-29 07:47
Platform
win7-20240221-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeU7\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeU7\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZA7\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1888 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | C:\AdobeU7\abodec.exe |
| PID 1888 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | C:\AdobeU7\abodec.exe |
| PID 1888 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | C:\AdobeU7\abodec.exe |
| PID 1888 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | C:\AdobeU7\abodec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe"
C:\AdobeU7\abodec.exe
C:\AdobeU7\abodec.exe
Network
Files
\AdobeU7\abodec.exe
| MD5 | b8d7511b07f2e05895145cb277142da0 |
| SHA1 | 0db70c4ccbe8b3bed70d68eeb6b402995ab2e2d0 |
| SHA256 | c2422a31af595ecb1c1d0ed41ea6a414b6e8cc7781d9f3b80622ad7e1e6e4203 |
| SHA512 | 9bf3a02386cce4e7121a3cc43f5b36dbfe5ae3e9cfa0162f457e4a11cf75d6d56b0cdb0e84293d837d54955166d5b39bf593666a9bb87b4e96f9655d9cc47620 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 618cc3d63f6b09d0e5e467c03cfd4747 |
| SHA1 | 8528f411225beb349e5164021cd04e0d50710b8d |
| SHA256 | 9f930361c86c167d3bb759f2515aa46132b6f8ee952b508122d8b008988f2051 |
| SHA512 | 6b79769116b7431caa71560ad5ccc04a3542068e9b6a6e76b8f71de9751ed336a763e1410bd2e1d709ae767619c28efadbfb88fc7e05a90c3738527279c8649d |
C:\LabZA7\dobxloc.exe
| MD5 | 5e4cb1835e9fa347a40321442fc05f6c |
| SHA1 | 2743099b18b2c7a3c50111fe37223a91831113a0 |
| SHA256 | 21db063530b6db228731ce6bbf08a064a9607df2e6b06e3af95b75997566cbc6 |
| SHA512 | cc2aa3067807aa01c9448668e63af8af9b01b89631f1c0a0b995fa21e98abcf32a94f5b3ecbfce80f05a2d60c7f2016c111138bbc4b022243c0a4271ab6fe343 |
C:\LabZA7\dobxloc.exe
| MD5 | eef4502cbb32dc36ad288bb35321f759 |
| SHA1 | 93d205672d19751386aac490fc03a4d98ae1f217 |
| SHA256 | 9d15de58b270dbe9c3ea4268ae02f4f5c279c2ea0206cb84facf0611657271a5 |
| SHA512 | 7a4ad42bc35ef4a1398dcce77088a735b1fc998d95daa74b03a4ba484e6e8f46ea299ec2746b8f5212613196a444003e013b8a75740a4e004348f9a645031343 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 07:44
Reported
2024-05-29 07:47
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeAR\adobloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAR\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNG\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3444 wrote to memory of 4680 | N/A | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | C:\AdobeAR\adobloc.exe |
| PID 3444 wrote to memory of 4680 | N/A | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | C:\AdobeAR\adobloc.exe |
| PID 3444 wrote to memory of 4680 | N/A | C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe | C:\AdobeAR\adobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b49ccd5ed47ff20784bf1940c856cc0_NeikiAnalytics.exe"
C:\AdobeAR\adobloc.exe
C:\AdobeAR\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
C:\AdobeAR\adobloc.exe
| MD5 | 7cac7c8c8098a5b5fe163dd07c9fc6e3 |
| SHA1 | 5c85c711465f0829ce122bfe1388e27f3603ea06 |
| SHA256 | 5e647df3928ca7095038f6362758eba85cb0fa5366afb49bcd9da67e26e89378 |
| SHA512 | 03903f20f0213d88d27c633cbc3592cb9fe646ae0e2a5c98c0bbf4a3c05179cbbe8ee06586e5adbba917749bc961836db0a656ca2e8d81fbaa2b4744e3407480 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1162caa4ad6e471db8797f02bb67e66a |
| SHA1 | 93a562dc3c11c014698add53d8cb47acb8e1f099 |
| SHA256 | f6365bb41a21a1762eb2c5800432d4880e221d186daeb21ac987e989a345142f |
| SHA512 | 82d220a82629d8f3d45302031c2cdd46f9d65fa4c3e593f365b4c7d21970dc5a8a261fc0d1f68eb6eb8f535f9a09421fbf2d118f2c30babc3e93d797274ee23d |
C:\MintNG\optidevsys.exe
| MD5 | 0024b9de4074abf70baddaf53e71d755 |
| SHA1 | 9625186ef7afe8a1d37a741132a8fa2d5c1d93ee |
| SHA256 | 6ac037504a3448af4107d6a363a740417a266be137fa998b32fcc1a860777c00 |
| SHA512 | 2418afefb4088aeeed58cbc6226d42d3516e54b426d718740794459430639a27ae722a5fe3ce6f15a583dbc559352a825d6b2fef8063d679cc9f9a8a9d4f1794 |