Analysis Overview
SHA256
c03c26b58140e15af25e6f1354e61f87f1e2b55c60b7480617fae2149942fc67
Threat Level: Shows suspicious behavior
The file 1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 01:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 01:39
Reported
2024-06-02 01:41
Platform
win7-20240508-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\SysDrv9M\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9M\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSX\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\SysDrv9M\devbodloc.exe
C:\SysDrv9M\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 47a5fef988bff37b15c97d3f9834eebd |
| SHA1 | 3908fa254443805456c9959550dfadc60909ee94 |
| SHA256 | 71a36d6cb306a3680297187e8c164b25e6481e179fa0cae46c9ff822148671e6 |
| SHA512 | 699b60a0c6100075b7dcea12eab3357fb25dd7508675cd1e3c67b7d7a64ecb14cafc795073a1aadadb0f3db26ada77ea043ae8b40ed299642d7474c6c090a55a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2864ae6b3fc94f45711f434c0c437a98 |
| SHA1 | b8897a729a358dc87dd8566f6882e2d7398d921e |
| SHA256 | 476f3b3c52379502b4bf29517aa72c25963c5141ce298842f8708ca641f32ccf |
| SHA512 | 75966a6fa4b54581ce5a2e0d2d4ff9cf0645ee5ec8e13ae0f09c4521a05773c2ae9f2278a36df44b6ec712843e25161d51621683a38eee7c8b20d5bf0702b340 |
C:\SysDrv9M\devbodloc.exe
| MD5 | de93972e078c742e067860a4cc04872c |
| SHA1 | 4a752e442b8b446ed6f79682a215993ffb9a4a47 |
| SHA256 | f9ab2c76c5bfe850108ded22ed29e8fc7fb158168709fd5189dd379fa3662cf0 |
| SHA512 | b4c92843547e4075a35e08ad86aa312829ae413967b6c4269bd808c6948c454a20d6c31d182449d49b98bcee60717893e673e075da4965d66497b0b6326f8157 |
C:\LabZSX\dobdevec.exe
| MD5 | e3aacacec53011b6206a9c3fc1ffbc58 |
| SHA1 | 9f49330b81c96e79c03759b83ed706fae399e4dd |
| SHA256 | 4594010f9028d13fbd9e1c085de36377bd4f1676093cae03bb0a1dae81dacf9f |
| SHA512 | f5a6739d266e4b5afcd3eda533faa581a273d99a479a1d2f8fc6b19267e99f3aca0a696ec518d39c523426a4397412e2ca48e899527c65b8d450430850e147ee |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fb88fa4fe6ae30e1a127920aaa78adda |
| SHA1 | bd74540048e9ef6ad220de51ebb7a01d8bd49796 |
| SHA256 | 3c56d13873a6d61a494f744851f1cab460deb1befc8b6f4b295c28288e08529a |
| SHA512 | 56cf4cf76ae44ddffab0dec6896ffcff34b2837f4659957ed1cf4961b0c27adbcb3a622aa9b8ff123c776974c1d1db61b4dbedb7fc05ff89e679cada97b849a1 |
C:\LabZSX\dobdevec.exe
| MD5 | cd383c013ccafa6df1d0e74ffc344cbb |
| SHA1 | d58732279c4a3fd08774abfe99f3e20e152717a9 |
| SHA256 | 523a5fd2479a2c6f1018aa8fd23859b3e277e19bdaf7402190031026acdc4143 |
| SHA512 | ae4b2ce785196e506a7209b31ab56e7fa36ae09e2e0cdfc83da2e76b1fbb416da294e9a36367378e8089e7555e7fb77369d6cd779418e212a3da1f0366a40a73 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 01:39
Reported
2024-06-02 01:41
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotX7\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5X\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX7\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1dc8ee51bc2ea2dedbdebaa13f155160_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotX7\xbodloc.exe
C:\UserDotX7\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | b4e5700f7e5ccd89e179700c58331ca5 |
| SHA1 | ca35b2560e2c127c3909cea033561d3f2d55af11 |
| SHA256 | 25cbcb7acf1184ec9fa7d7e733309647ee6690e5d126e936f91a0d584c036aa0 |
| SHA512 | ec1f9d85ba5bf483f106cf3c369c14d1f17b2cd277d5cf638b859470d2ab7d6c9271f5d1d2dc337f8ce6f8f3cd474d03189a701c7a77fe3d74cb4df61117831b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d433c1d6567631fa6fb3a0052a9a062 |
| SHA1 | 9c1528c8426cf5ab24bc7380c10e1d316f07210c |
| SHA256 | 670911d13e3ca28087217fbfb0f0ff6a030b27001fc79ff0b8aa49dace3e9d9b |
| SHA512 | e2f7d44507a5c60ac3494ca47b556dfcac0d76d5cca13362724fd3f581caa8d18399127557e957d5509a69d1859c71a99df2fdd7f8a50dd379b9251114801c81 |
C:\UserDotX7\xbodloc.exe
| MD5 | 9144eb248bd8c9e02abcd2e4b31085cc |
| SHA1 | 898df30a81947bafba526677fa2002de09f7f738 |
| SHA256 | 7cffdd9e8279fd1a64d94a1a48fd0c4300127a2e8b442abe2c432aceb6fb9da2 |
| SHA512 | a9274d7c0d3f43491174585361217a920ae45a912b67b783edf8f95110e2b0c680006f4bf8b6fca3792e76c9bfdfb544ed31b57a95d9f94c71d9b7ded5c4395f |
C:\UserDotX7\xbodloc.exe
| MD5 | aa1febc73bfa0efc4c4043f06aa6630a |
| SHA1 | 7f8cddd68581b340c4865145f4292bae161747f2 |
| SHA256 | 62e963e5a763f0763e92197413445526a593fe5a2bee8fec2d10b5b090c07361 |
| SHA512 | 2ef64b2c5a6d9b9f04a70eb8de3001307b52c4699986bf406e589e0c9bde88f2132b9449882e2eb0937814c31694fae3e94f63a696efc98358cabe4361e251b4 |
C:\Mint5X\dobxsys.exe
| MD5 | 4ab1617f6384487fefd4f267d6dd514b |
| SHA1 | a1181215394cbf7a442c44d0ec42e4812fbffd3f |
| SHA256 | 60d8ee8adece0b266d87fbeb59fbaadf35324a0e4cb1bf879035dad99a85a2d0 |
| SHA512 | 24b33c25742524d2eb5bf54207ec36bc2931110497aab599636d9148419cea88690de5cf35ee990be28ade07992560e428265ece577044a895ac94c149171eef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 189df933c9479fb6a2ad5d900b304c1d |
| SHA1 | 277049bb0ee37941cde4f81afa16ef53a27a682b |
| SHA256 | 31d320972d293e32cf22807c22d6f0592670086480d9468f09beea33c7227b42 |
| SHA512 | 6411b5c69ba3cfc94388c3ab1bdfe1e1578963f7004368d43ad21881f345b4a5669fecf008c90fc5bb6790cc1ac5622ab6684eaa9c167e3b5238bde189f58d85 |
C:\Mint5X\dobxsys.exe
| MD5 | 474e813e61c6aa0fadb5dcd242dc4743 |
| SHA1 | 0d35606140fc0b84c6e24e54a605ae45cd096c42 |
| SHA256 | f0ba49b3b32532b70c1a3ad65437c6ee09d0580c39cc279f1c51d3669a16b3b1 |
| SHA512 | d97831249202dc33968e50defb6086459bae4ed7b3bbdc4d9a565f26cdf9bbaf65b55ec83fb075f15437cc05d869d4a52ae1123bfd38cc486813e75cf62ee931 |