Analysis Overview
SHA256
0dbeefd31c074d4961a8aee9bee33e3543174598a770561d0e23f6d62bd2deca
Threat Level: Shows suspicious behavior
The file 1d604908f917403385d726c694a8b040_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 01:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 01:36
Reported
2024-06-02 01:39
Platform
win7-20240215-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\SysDrv5C\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5C\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCR\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\SysDrv5C\abodec.exe
C:\SysDrv5C\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 086fce2867006ea3eb6f72ad4757e9f6 |
| SHA1 | 05660b2d1beeaa1d257785de087376590d21d960 |
| SHA256 | c390c581550cdecc196da925e25a512310341119a5da5a9cae989967a0991616 |
| SHA512 | fd726d891b0f9a90c502f385ab32c242d512b34daa53d334a3c070f0c3099055aeaaeaabe5b8d184b8ded4accfd1d2d6f46b3990c4016812bd1743b0b78a42ac |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 05192d27c4dbd0edd026e25c5a3590e7 |
| SHA1 | 4cc0e2ef0a6e7b190007ad3d8f15fe09043ab970 |
| SHA256 | a631ad3275f01487ebc72e920846b12d38bbd580458807c5cc2fc01999c9abf0 |
| SHA512 | 759441844b753e6a8c636eb042ad0661c9bf418737ad12a6d3ffe28b33159110d53a0e3a3e20064740aacd23de418bffc4e69ce4739be86e81fe6517006ccbce |
C:\SysDrv5C\abodec.exe
| MD5 | 9a0c3c9155f77810721e7d9080fe42ee |
| SHA1 | a54131a774ed32aa2ceb2e4f9338347e903bf3f6 |
| SHA256 | 991e7c03746cdca059658246c5b3f1a105b6a5852bf7b1c2321a3bdf2c263a49 |
| SHA512 | 83d803a7150fd8bed8bd6755260a73a3880dd9b582e6b3b52c80d454400f6c3dbf72d1926ba40337a7a327bf8071d6b3fa285b14b2aeda69356ae2e927c53465 |
C:\LabZCR\optiaec.exe
| MD5 | 190202bf4b592dd24148ef6979a349d5 |
| SHA1 | 399089da2bd41a06c354d2263f4721faa6be8693 |
| SHA256 | d5703adc068a43ba8f91fbf3feda4b9b4ef2ae5c74fc472a29a0ad9dd98b6983 |
| SHA512 | 21dd90fd902f67505d20a4d4fc9075ae7bac4f6573706d5b8e62235da43f738a46390bb7d04074b2c4f2e965dfcaf697487bd7a9a0e5eb4a59e71bf8554efa16 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fc1d292de70d2ab7dbc0cc5f481b3706 |
| SHA1 | 7eb1d235531ba3b8ca3983ef00d600e459a669c1 |
| SHA256 | a6f43a7eb127b3a2548e241ae2da2bc323f9b969b0bf2b3c8a4b592312a1aa83 |
| SHA512 | e549c7cd0db6dddc1d889172b41d21d64cab34c2f8a322e96c2b2b5dd2b3730287d05e14929fb11ee4c47e4b3c715ee4ba2d7e8adb636785e6a3885ab601d4e0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 01:36
Reported
2024-06-02 01:39
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\Adobe3M\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe3M\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHX\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d604908f917403385d726c694a8b040_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\Adobe3M\xbodsys.exe
C:\Adobe3M\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | f4e39854499a01189ac56d6f62ac207d |
| SHA1 | 58619499427209916576dfdb2bedab80bf038514 |
| SHA256 | 538a27b7cd1afe90df16bb1db4d24c6f2508f7f5127ea29e576a58664399d027 |
| SHA512 | 48117cb7db55ecc6780f39aa5d05690d614376c3db550755f84d78a930a02f407b59cd76a468915fce623b7d92cb72614f724a2cd3fbf6e8110cf208426380ce |
C:\Adobe3M\xbodsys.exe
| MD5 | 395331e434fb67375040e7c2d52cf206 |
| SHA1 | 6e52480c2b3ffb2c807d6e9ed0d166b1d0ba3707 |
| SHA256 | db9a94c81273ee8eb166c673c6cf7b65d0aaad2b4e6d9795cc51e691c27339c0 |
| SHA512 | 22f31c55700c6ff59102af26263c392eaa0cb4215a2ac853561a94415823dba78be982b802b7b7a34d59b8682313df155f1e6fd6df1f5682932cc213c83ea208 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2359deabeb0bcd118a9358b4f85230ab |
| SHA1 | 4f245d9c1a77160b7bff140dce7eb8a4b8a3cfdd |
| SHA256 | 6b06c57cea82f387fb2111e6a41f8a821e1748ed0fe2dc7fe5feb1d099ffc778 |
| SHA512 | 06ff1ba8a2e47405ff0f92a28ab2fbfa87b565d283ffcc9882e81c51f51b6e527db3933fd73d6f5f8c525f0fc7a74ed92a39d3ad0d7df5706c089bbd947b0308 |
C:\MintHX\bodaec.exe
| MD5 | 4d750cd571c5bad3643f9c9cdbe747a0 |
| SHA1 | f3d1714f5b10ca1d5bb01339ec20961e7be83320 |
| SHA256 | e93d2ff3806eb9226cb152c62bbaffc42a7e155f551575865dfff64aa0ae34e6 |
| SHA512 | 2d1b9f13c5a3d3d88727d1e5f2c765336fddaf3df6fa33aa1034fecc002318a0e9369feb108635ac17761101913ac4285c75ad3c12da6bc359d66776cdf77c5c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e9fb1d686f50d35dd3b54efe9febef2f |
| SHA1 | 381dfb472486c3c73292625a978e0ffffe0bd9c1 |
| SHA256 | 78f8b13436cea1064694af9e23e568e008c6e5c73704aff94bbe4753476b87a1 |
| SHA512 | 12479cbf1578888c23dd66094781f47ea7bc9e499c9ea521eae03fffbedbb3d46eb0283cf0121ccab656656d7884f7a92de87b2f9a829fce7b5f00163d185294 |