Analysis Overview
SHA256
99ab8c39cc9545caa98e3735828468242e9fa40b34669669144e2ce252839d8c
Threat Level: Shows suspicious behavior
The file 7708296758770825dd203c43b4624550_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 22:30
Reported
2024-06-02 22:32
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\UserDotTV\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDG\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTV\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\UserDotTV\devbodloc.exe
C:\UserDotTV\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 1881c5c2a75c846029e83ebc6bec31c6 |
| SHA1 | 2dfd6db8326c61818ad5034f346dc7131afcb3c0 |
| SHA256 | a5a6197bfde772fc164089906a839dfda0ccc43e32a75ca5ca962856a97b2653 |
| SHA512 | 33b26c0f773c1d84083b99b68c751edbfe9e8d3b106415d453059ef3ef55cf406936ed78d14664f895e5e378e0a7ef10595c2c7ba7cb06756f6643f488460dbf |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | be259b90fcf3c1ca2313f7509949ef46 |
| SHA1 | 1aa5ca8d9f3267e9df1b66612c7010c930be2d5c |
| SHA256 | 009790ab4203d870daac86e2e1dd66f07cd24360a8633f307d1db2160cf33233 |
| SHA512 | 4d58f4887f60b6f148987711bab19446ba8951db4c5ce7ccfa9d206cdc82bd3f3c9093d87bf998d2de08322a8f7db5d01f77515210a48222e8d8cbcb76820220 |
C:\UserDotTV\devbodloc.exe
| MD5 | c000603fb33208ee88647981798e4762 |
| SHA1 | 1c4251d64addf30017ed66d1981e46c251717139 |
| SHA256 | 79776fbf17f0129380b9768fc4c711d9702e033fb79bce0efe4d9c18fbd35c7a |
| SHA512 | 9b59f7a9bed7508320160c8c589a9bab72c8ee981cef2c056434dec1750f77702cde98eb8b504125158670ec27216ac5770af685db655f85dea6b0123682eaef |
C:\GalaxDG\dobaec.exe
| MD5 | 05e72b07eb4af0df1049aacd39b3f180 |
| SHA1 | ebb6727ce351059ef9bb672462c173ac5466b8b1 |
| SHA256 | 440422553fd39eeb18b6f223a93944d70369b1ac209bcceb6847bad44715d193 |
| SHA512 | a8473742b5eb490ac046fb3d5220e59e4c023ec3eeb8891725c059a290f51dd94d6fedb9d5c8f3197dccc6a64bf616c85cf5e7b12c55fb5609dd0e37a0cc4018 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 87b6bcc461dfe9df391f787e0b69a436 |
| SHA1 | f6a492d9404b62ed47d568564d5e27b5bb7e90df |
| SHA256 | 78f609a925912342db9d6eec4acfd094b5acb762275af5fd99f8b87fb45ec4bd |
| SHA512 | c0e5c096272b781ed2c726acafa1c6f1723dd4008e2cfb4108bda9a3c01e531d381ab0e389b40f6b9de8590c15cfecfc600bc2856fc503463fc6955e64ee69cc |
C:\GalaxDG\dobaec.exe
| MD5 | de64d349479f69b68610895bbdd8bc55 |
| SHA1 | 26ca7421ef1c7647cd51c68b3fac92b3393213c6 |
| SHA256 | cccccbf6106dba278596b848891826eb640e945280438323d771768137e54379 |
| SHA512 | b70bb5919a35129099f2df34a7be700b3dd8ae2d82934aa083cacbb9724c73756bc66d3dc86b267a836051476ec7c135c69c7cc695e61834d7df090bbb53b4a1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 22:30
Reported
2024-06-02 22:32
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\UserDot7R\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7R\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBG3\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7708296758770825dd203c43b4624550_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\UserDot7R\abodsys.exe
C:\UserDot7R\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | f51d8b6730b274fc031482c81bfcc70f |
| SHA1 | 001bc5f12b361faf4b6684ea9b4606b5fab0f770 |
| SHA256 | 6a49188ded9739ba01aaa64ffb2bff2fc90f586fd446dc7d549297fa6ff6af8f |
| SHA512 | 4f3731d03667b1f6712f32a7cc0a111d5f03a751f0d048788caa81e1082f4c41b9dccb398a38a1fc5c71d9171dd78fd154f9eb7b092c0cb4d407f139ed672817 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4e885097337b8c2060bd5d181f0662e1 |
| SHA1 | 764bd332b9a362d1ac3791d95b8cf0b5b57f85e4 |
| SHA256 | 503de247d85c785df64b0ae7d47aedcb0a603b0b28a516807a0e1ebd47b0f364 |
| SHA512 | 04b4be475b32ee2e5ff438b6d4b0f0a1665e0f6a7a3319daa0ab96c3224f8984093d25f423d4779eabe7c43feafaba8a1cbc655e32df431596dba11b15db5219 |
C:\UserDot7R\abodsys.exe
| MD5 | 97ff59b1f3d5f593812597013017d47e |
| SHA1 | 85248407a6801e287ccf29412988f00257148186 |
| SHA256 | 317f89793471fa03b2f3827ecede87c04426648dad30deb73d602ec4610068d9 |
| SHA512 | de58c6660182e3d74fb6d850cb5191dc2eed518c2c7b487bd13139d3031b6612f4a509ef8c4b69b3cf9d78046f6fc2582e956f4b58cb37a976e3d1388798caa4 |
C:\KaVBG3\bodxec.exe
| MD5 | 8de603cade6c67d6f6d8b0bd5e668f96 |
| SHA1 | 8679939808188f209f7862c5d80aa5e0da96d386 |
| SHA256 | 6a459c064655d7488dd76e02c48fedf18b025561b83c2670db5a62516bb65d15 |
| SHA512 | 3175948953d0aaa2e4ae8367198817296d32670db8591ca1f770fb323a314c2b28e981dd5fc556f2fa19fd9a18d8174910ac431e5378cab830cf7b80ba41eb42 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 00737fecef8050d9a8a1ee3e3f404178 |
| SHA1 | b24a843d6cdba743c44456fd7a8de9234f1b2ccf |
| SHA256 | 28e46bb4f824958182e1da69171e5c4ca3cf3fec6861508df064ff1abe6b3aea |
| SHA512 | 139dc2aea93ff8e862d2a06c2fadc9595da3ee136ed69a57f083501bb1e89cdc714da76ade418512f47e812833746a2ffc800b665db32d2840f355f5af3927d1 |
C:\KaVBG3\bodxec.exe
| MD5 | 9e11a956e5300fcacf192025d7b1f995 |
| SHA1 | 80f9d7f3be45b50d0d03d4c20e3bbfee8f8ff24c |
| SHA256 | 1c73f0e6c59c39d932cda4654dabea7a53c967a7bc31541ee4166ea5b907430d |
| SHA512 | 75c500c8720504ca9b51949d10d36dcf7975c7c9649ed056b197d8ec9009e0ef84c3c2b51d45a8b010e794dfea96f7be65095b5e90eb547d381faf12fbfa5b46 |