Analysis Overview
SHA256
efdbbfd33878cec186fd94c28f219be1af51df0db664e3c290e7545f77b33c9e
Threat Level: Shows suspicious behavior
The file 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:11
Reported
2024-06-01 07:13
Platform
win7-20240508-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\FilesHE\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHE\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSD\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\FilesHE\xdobsys.exe
C:\FilesHE\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 03a4f5e48d6a555bad1a7630ab10d4b9 |
| SHA1 | eee4f3c636ca33b71916bc31ae863c1ca656c7c1 |
| SHA256 | 60b002858983e8c8e3f087a047025fd5f30a39683728ce0952c11084ac59816e |
| SHA512 | 1d431585d80b88b2f3731e8d61658607c9075d336864571ec2c749b59960227243862912c238657dda7debd99520f7ec3d5ca043f14a7879609341aebeeec024 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0e0023155685f24775b075491b8a142c |
| SHA1 | 0c504c627013fdbb406bb9b3900cd580aa7282f4 |
| SHA256 | 884f606c8d089a07250b090097eaa195d77ae286a8a28192cc2edb85e7338dd1 |
| SHA512 | 860740fb9d0d61f4690f77fbadf15b880000a6ab721c6ea07d6533cb2003c6bc5501deb4ddfa41b92a7a281b9b4651a401db6905226e65e7544f6dc69e2ff845 |
C:\FilesHE\xdobsys.exe
| MD5 | 3af6c98cde4ad21d6decbf70eb30936b |
| SHA1 | 1b0135ad6a26a7a765e13888afdc568f1771ff0c |
| SHA256 | 917da62a00fbddd515e1e38c159e3004390807ba8d00ded61e36e52e6d58878c |
| SHA512 | dbfe93c53f45cad57d916787a7730efda67c838b4888a1b5f118d82c80cd28f9e3fa56f59bdb26a22cef3828a0a693c11b559b9c647677672deee254220ac989 |
C:\LabZSD\dobxsys.exe
| MD5 | dda011c7fcfa573da1bd6921cd6d1783 |
| SHA1 | 7432d2803ba1db78287b9b90eacdd800cb8a256e |
| SHA256 | 6bd62d8c0857bd53bae90684dc830c243ed5d43f21534dcee414f790e1d7e72c |
| SHA512 | ab7d5e7765f7f9f55919d835163cfc190fe85c7bf34e202e0976ae5d1e28652432029a19b8dd5548bfdee16acab20f99d932b4dc33e59ac4a152927abe02759c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c73491ecb6955ef78e3649e30046eee7 |
| SHA1 | abd61f8cec8deba33164bd7250e21f2b11d2b991 |
| SHA256 | c95fe04a2d15fd3b6620f720a2c51cb3a4114372c933921dcedf3915c8f94dc6 |
| SHA512 | b2056c7c8a37c9d9aafe0767fe7cd0def0ec7a1164ea60a5c11dcf8b3fba40251e71374353d8638f00c404b97ab989108b3b87c629a1355f2b820e5945ee7980 |
C:\LabZSD\dobxsys.exe
| MD5 | 9066f9da2f6e14f558228b695e72cbf2 |
| SHA1 | 91038a2a5cdbee686253b1163db1462b67afdc3e |
| SHA256 | afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4 |
| SHA512 | 41a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:11
Reported
2024-06-01 07:13
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\AdobeAQ\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAQ\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8A\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\AdobeAQ\devoptiloc.exe
C:\AdobeAQ\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 422e51efbfe9dbae5e0289de0e28461a |
| SHA1 | 49461f8ec7a7586a10b8f8119c4ac0847b7e9016 |
| SHA256 | c63b5f21f351d52ff864d5dc97aed42545432822e032c7116da3d791617b8bfb |
| SHA512 | 51f71f2e907e0a95bf6a3a9d36bc2124dd76ed1ef3c32520e42893ded7e25ebea29ee93138049458d18ebb2233afb551aca88d61b78a10168795883d700adfe8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 89f0e8dcae8d91bd555b1adf10e5483c |
| SHA1 | a47b6df9fd7f84b7f8f3dc10734cec25499d408a |
| SHA256 | f46f81e1d33a2056f2850210cfc3d02a4cd2b5a64bd677785b0f6071363deb82 |
| SHA512 | a1e53fbcef86a8134bf79ee6896cdb13d7c9305742b75c66e2d8f8999e619615858d346c334790a608ffe9ec980493387b06d774ff9835807b7712b34197dea5 |
C:\AdobeAQ\devoptiloc.exe
| MD5 | 7bfa6806c82ccb87583a1413d623a059 |
| SHA1 | 6363a8302ec0e4ec88fa5d84b4f62a97069585e6 |
| SHA256 | 2dd2b02e8e0ee2d1a2d223c4afe7706174a7eab60443157c9cf3a03ff6c16c29 |
| SHA512 | c4b758f1b855ed1692353a4f3927c04a2f2720c0aa4b990bea5338704fdcc213979f64208ad96cf2889cf1fd88a25da292ced468c7caf5c4de8fbe0ac0744273 |
C:\AdobeAQ\devoptiloc.exe
| MD5 | c6201d853cd4fab72ce3cc1a402e4c5b |
| SHA1 | e6ee620ac1f9a09ebe305efd1eec391e8eed529c |
| SHA256 | 40e942cdf9d04fc0f7f76ea34874b22cd98f348771ac0d3a606cf0acba8399bc |
| SHA512 | 702845f84e0d256ee229b123f1a4d7844d21a79f4573cb064ed4e0da37bfe18111b6351063413f83e7cf1f537b77c992d0450860f9f8f07e527ad3bda655f4d2 |
C:\Galax8A\bodaec.exe
| MD5 | 78e689b1693a09f0e68385e004a58793 |
| SHA1 | 1feb8278a303d75309047e4e7a2f898fbb5588fc |
| SHA256 | cab100074e54c13155de6a58365c1adc05490400be37f5d0c40c1b403b208878 |
| SHA512 | a86c53a25dec391e059b8818790a5ebd670fe9407d208f147da9c3d1a65c84c72ef0425ff38e361a13f903a8b23d0d96951a219d3dbdd8a19ee2d9cdbe54e609 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fbbdc9a2c89a3f50d0a7b1978dbe8c5c |
| SHA1 | 58252fbb4d0df8021e268bf5074679e2a9de26ce |
| SHA256 | a9a14db8788e6c2325c5120692f755e3871ededd0757e184527ec5bb230f1b4a |
| SHA512 | a3da38f340602e01163be40819c3f08a278c7b5bf73da8aba7215cd59f668e62dead112951bbb107ad729c847762f248054e67bb0f8a4cec6ae3fb327f7e6d36 |
C:\Galax8A\bodaec.exe
| MD5 | ec463a08f11d892c223029dd1bde52b6 |
| SHA1 | b3712ef6852c8285efff050ba46e51db7dd667b4 |
| SHA256 | eebe92a07fb459ec41bcd5c56c7721e0c6f8407ab8b0a083a539641dcacd5425 |
| SHA512 | 43e70d0e92b9e70a7c3bd693514ec5cb66af71958cb1821b5f668e48e230a37b394aa7af79bc9f125a3dabaf5b81a84f8b6019d08a1b7ee509a655403d60cbe1 |