Analysis Overview
SHA256
8cb8e8317e97f9cc32f42b6d3ec3245c9ea032af1bc139498773d8e9636a22fc
Threat Level: Shows suspicious behavior
The file 7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 22:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 22:36
Reported
2024-06-02 22:39
Platform
win7-20240508-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrvXF\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXF\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidT6\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrvXF\abodsys.exe
C:\SysDrvXF\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 5c9a9c502f8949fddf991399862f24e9 |
| SHA1 | 0c1140417266fd9e1574c6240b69c717fd05ae97 |
| SHA256 | 61b7d46e9047c5a7ab1d1bfccc0a6606652a7b360879e81af2f0807c7b548936 |
| SHA512 | 1a9b0f09e1a90cb64978eb2e258953e15a38f994a8a025747607deea2f9b280f77e99877ce7e2ed78845b7a52afa0b919f68a97d7d157dc66fe822b4d5489823 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6d949a9b3899e7a9ab231041d70a9080 |
| SHA1 | 9097f87cca17c84b4704ead3d12606036271d09c |
| SHA256 | 0452084b0d44972f4623cbca011dca6d01e0300d5469f5d3c985b4ee0b1c31fa |
| SHA512 | da7f6e86fa077c69657121fcaad9198b0add42dce6f1d0fd362f28ad200219c91c6d6e7f2f7da08c9e204fabf3a9afa61a37a7655c1e9818c48438cf55a8e3ab |
C:\SysDrvXF\abodsys.exe
| MD5 | 227ae3b17b3f9143121c8bba26367dad |
| SHA1 | ce1843d996e40a0363fa9eaeda7f5a2cd3bc7a49 |
| SHA256 | e9f9f2f5a7d87b48b243df85984daa7e3c83a5c49956ed2b23dc99db74493649 |
| SHA512 | 63c373534ce750fa5ffb4635e2e19ecc3f6c51b7081f7ccb289eb5ff777448a3426f30aa9bb845c1f3505dd6d639af964fb1dee81f15542adedd29019206acac |
C:\VidT6\optixloc.exe
| MD5 | d2c06c317ce690648b68788abd0fa13c |
| SHA1 | 02261a0589ecc3cea53d6639c54adc41073ce3ce |
| SHA256 | b4215f81c53a05fdf9f21d2962f1b7f38da26685f98a6945573112a3bed1accb |
| SHA512 | e620553f50a8a0ef323a535f8a714b468130e0dc0495dd75c1892324e462604ae87b1c14438f17eef20d40d057fcb67a8127bb299e676f7339fbb88e3e368dd1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 461c8d513f979b1d4ddb5d7d1ad6cd48 |
| SHA1 | a1058425371677703145eaf38aed7815a5910cf0 |
| SHA256 | eab40afde7367658717a9e8051c047a52df1283db672fc081ac87e20173f355c |
| SHA512 | 82c3ff71bcdd1c3c205bbf0a7d3293c0e7fcdfe54b430c331eab2d981ba059a1c03c98b13364d39565c8d06271d9dbcba24f6be2d0d5cb808ac878042bed3641 |
C:\VidT6\optixloc.exe
| MD5 | 6bb891bd1b5fbc8a0d1b041b57ffeccd |
| SHA1 | 9cdb8f739f9f7becff5e5e2fd052f012881766a6 |
| SHA256 | 872b23a382e31921319f24a14556c71bedc2ade87a70e280546cd19778ae3b8b |
| SHA512 | 7f34f820724f8b458ec393782a391e50529a622fc8de4bfb0ebff6d4fa7e03021dd2b4cb802989dccd46b84318ac5237c77ce61e3aa15afcb787e4fbdbc9a19b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 22:36
Reported
2024-06-02 22:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\FilesU4\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUR\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesU4\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7812552ab69315d1846232b2802885a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\FilesU4\xdobloc.exe
C:\FilesU4\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 877642e4cd783ec07f4bd75c05232914 |
| SHA1 | 4d5aa437d674ce7a55195129dcafc8a710c25634 |
| SHA256 | 5388a0f7651b608daa9da8514a63bff533140a3faa506b3b990c1829bdca48f6 |
| SHA512 | 1b5b498d51fc313861319f86010bd3717881c6bcea6282138e27c8172490f5026fb9ac5ca3a7b7305bf89654708a8b1694b9ab23ce477e065fa786ccf32068cc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7dcb7586f0a7d5b3d31868358ff623d8 |
| SHA1 | 1393dfa31c3c3ad43ba01cfbb4461bf128dc27d8 |
| SHA256 | 08b99d4b5b8e81e6fd5b6fa98cf2bb0fdfd0bb598d422e4f79f36af61ccfb760 |
| SHA512 | 7bdd865d541ed67271cccab71c502a319b7254492f2c240fa971889478b2c10cbacd2a3ceff23f9254926b81b6654ff35750922c80126cd8597ab02ddff5a95b |
C:\FilesU4\xdobloc.exe
| MD5 | 9386bcb69b77d2b14d2d9446240e66e5 |
| SHA1 | f67368e0a0ebc6b787ece7f604de123426c8be2f |
| SHA256 | f978c0badac5e91e63f48989eb5a8a5ab0d1b755b27cc95272c973d3aff3753b |
| SHA512 | db531d01d1f7e443eefb2b27b537828bbce322b1f787f0cd3fb1c18f0d949bc35725e08bbc9bbe1a9b2d680de900b7a113cb58df0bc6671eb2dd864737f71052 |
C:\KaVBUR\dobasys.exe
| MD5 | 77323804eee5bc7b6d1ac4039a964865 |
| SHA1 | 53aa0c2eb38952ecd5cb8a7a8cfd2afc44f2bda2 |
| SHA256 | 740102b23033fc43b2852b5d815bf5c0e3eac21736f2b2a997438df92f21e2c0 |
| SHA512 | 551b21384a56b20c5b95cf584c3267dfef1e79a3bb9637cd8a9aa5997802654b8b70143166bdaac94f6121713a4676ad67e1020941073e83854419c9dee57497 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 956feaa236c588376be57a9bfb7f9b97 |
| SHA1 | b5926b66a708713f7d0c27f64ec1fc1b738a7d86 |
| SHA256 | d4c95d16f886c5e7da4c460cf12dad3a919ef147bdc07fe20311fcea17e7e06d |
| SHA512 | 7240dc6d331fce0eadd94e9c166911a664c3450c39a380bd1a2fd519b6606388e6a07566bad36d0880476d819062267c8ef75f7e124a109a9d4c647080b7c385 |
C:\KaVBUR\dobasys.exe
| MD5 | 5a5190dd37f9d52a014e6f78f7d9e6ac |
| SHA1 | 8267835bfc5b6d1ddaf5841fdf26f6221042df75 |
| SHA256 | 0da2b2607843b82f18a1aee997f45bd83fdcb5d65b42ad41ed64465b14ee97e7 |
| SHA512 | 49f84a9c54e3bcb865df1068b85e062d5e079ed1fdefc98bf30b3c3c79d0bc82f892ea6638de2082bc8b57d165499eea1c5a04e1ba8648555a5dc892ab7dbff6 |