Analysis Overview
SHA256
ed8e54a4324ea0f52a9102821073aa15bdf95933054af5dc5d3d15041a11645f
Threat Level: Shows suspicious behavior
The file 18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 01:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 01:04
Reported
2024-06-02 01:07
Platform
win7-20240221-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocZG\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0Z\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZG\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocZG\adobec.exe
C:\IntelprocZG\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 87ce960f9580d5e85148f6dea35d967e |
| SHA1 | 7bef8a6ab6d1eb58bd22b017859c1347aac1f84e |
| SHA256 | 57ee7c7cfce319ff7f3b4f939e71a6632966fb413ab4eebff989dfe20d84c902 |
| SHA512 | 85d44a2ef0adc6c542dfac23f9719590cd6c9cc3dc3489b4602767615ea0587b18b20f29331b9fda9c31d341daad6357f12fdfc2b7da4622085a394dd1e59e52 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1b06bde66e02432e32306ae70e672fa9 |
| SHA1 | aebbe59dd6f2e0ba5b0328897fbd38e5dcb59f3a |
| SHA256 | 793744710a3a8ca600f86f1c460265698f3a36ea21aaabf1e82b326ff05ee52f |
| SHA512 | f12156dff6feff0e585c11acefdd83d2edec0e93f670d5469a075bc22190c0553da15e0869bca5f802000c3ca645d191c8e2b165337ab11c80ed2fe0019fc26b |
C:\IntelprocZG\adobec.exe
| MD5 | 9110bc1fb1a69c2b6e9bca6fbe0aa852 |
| SHA1 | d3e96a4fcd84170209c4787f3a43e26017128d14 |
| SHA256 | af20524c8241b834890aa4ed85952fb15fcb6dcbaab63874998be8c51854275c |
| SHA512 | e6b6edf9b2a8d3d7b93da7b555251968dd02e6eddd2a19f30051e47651175693105974c85a50afa301af8a5c5011ff165eb3146e78a9d7694a166434f9b44f7f |
C:\KaVB0Z\bodxloc.exe
| MD5 | ecdff8b5d350ea77023b757b2e1f7bfe |
| SHA1 | 4f3b52658bab4ef7b63b4187613263c67270b9e7 |
| SHA256 | 1494a0e0c08d9846b7496dc009cc357611448afbde0eb022a2c71389630d0146 |
| SHA512 | c475a563a6bbd83bfb039bbd8448547e70b781730c4718c2e88868bbb4d6c7f45034c50a471b5269ea1835b3756e58e4898fa2b4c7e67aaa8c87a9e2e3de7388 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a011db449559d8881d912bf4aeb77964 |
| SHA1 | dabed9e135a364fc2c88e2c38658d6430fcb900d |
| SHA256 | e6b48a8eda8535be72d6dfaa0e849f51f205453e46101ca8b94222cf117c2039 |
| SHA512 | 5d89996b97c21f41de15396f5909dc110f723da598338ff08ee3333e2ded5ef4e5c14c420c4f65e5e5f4ef97a28304bd09110520c8ffcebf95363d553ac1c645 |
C:\KaVB0Z\bodxloc.exe
| MD5 | 3f744b30a4ee5b80c3be5720cc523deb |
| SHA1 | 3e1eed86a6fed1426df9a33a7d6f083edecddd33 |
| SHA256 | 5ace8485469604d5c456e2cd21e4f8fc0749873762c3d630268211ffae516d2d |
| SHA512 | 3a0f8210eca7808353f8c1ce6111fa1c40a4a4d2a5dcf8478b2dbb18073be843a3b0eed7037a16fa56c86c50a33fe24b8ef0438afc10bb5e1033b0091ff1632c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 01:04
Reported
2024-06-02 01:07
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\FilesOH\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOH\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8R\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\18e4b311da973f96bdc5fa89bdb1f9f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\FilesOH\aoptisys.exe
C:\FilesOH\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 766ed5059fd8fcdfb2a51c72cc5deb3c |
| SHA1 | 985f876e47fd4149cbb4268c6c886369d46d7a54 |
| SHA256 | 1e30bbe43a8241393e051cdcd561c6097d8a0fb946ff94282bb8c5a6bb4146eb |
| SHA512 | 20edc4b1495e4dc7fa4c5dad7592b782d8c57c9d5dc8683d17220ba824561e5556298223ad4f6cb060f417e2bf43bd4d26d1fa4a375fd87daf758aed1d565153 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 792cc3ac79c7635d2f3c1d9aad57bf84 |
| SHA1 | 8fa624b7b2a4855252ed44f44066028b039d655d |
| SHA256 | cf8277cfb5633b2d630a28a4b556cb7ff6016c35329b9b8a8197ae4271652b9f |
| SHA512 | 1484a96c81f5ba04620908596156d0bf0970e05d7929a59668b5737583495c4d6c34f7d9a39302c6c4c07c67cedf1691ecf8b6685eb5c5d6cc3a83ec22463abf |
C:\FilesOH\aoptisys.exe
| MD5 | f174f3a13923af4f86158675e1f78c59 |
| SHA1 | 4b5fdb20a7b8db69b2cacf573ebfd70a7fb1d727 |
| SHA256 | db860d6b861cd1195091157ffab3c609f306552683cbc4044f5d8a61e0934fb2 |
| SHA512 | 5cb013f8ed89600b8faf2bee85f9acb71c41ebbc0e7cca9d512b846fa4a4889d314716193bab08c4d94c7a1e1171d575dc0c590330744e2b344ef37be93d0e0f |
C:\FilesOH\aoptisys.exe
| MD5 | 4d7897cab0d40c5d073313fbc39472bb |
| SHA1 | 8a763508a9df9847be89f93cb1c401f3583b8a3f |
| SHA256 | 98985c258258b188ca917f9c3b53d0436bcc6a76ffad44ecc2988ea6ca2ba444 |
| SHA512 | 1c14522049917b57d0dfababf5395ac3c4531f8b30e01a32bbb1ce7e6197c525624f5514170e1f8b230c0ba2b60e22893bae835130b58f29dcbbd6979cd9f1b4 |
C:\KaVB8R\dobdevec.exe
| MD5 | 51110fd08d8808dcd8005334efc0fb35 |
| SHA1 | 1e53ecc9a55e60c4248894e860f57f3f339d5fcb |
| SHA256 | d8bafb60ffbf5d6363ab96930afa42e999096856887af056cab4a01a13a7a96b |
| SHA512 | dde3cec0c95b488d175a34e8690b2c76a19f8e1f0a05957a6943e5ec4fac23c8495f1d2cadd5e64ebe952f3698b932ea5503f7dcc7d840cc2df8b70a362a61e7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fa5fb7767c2d07c19bd3b697680f0fc5 |
| SHA1 | 0ed227be570e06a782c6289bc35e3a90e2ad8cfc |
| SHA256 | 0c60b70960d7d075eb7124787d3631b0af1b07980f787f04c2e72670c0b3136f |
| SHA512 | 84bfd9974b483ecbac568fd4803c9b0cade277cea108ffd38a4dada0c4791f3742f73c25d38397999e5329d75c5e5c343a220c57706c617e5e729911b1728648 |
C:\KaVB8R\dobdevec.exe
| MD5 | 9de3732d89168273a208fe06e03cd8b2 |
| SHA1 | ac0a6e4cd5d45ef7900d99685f898b7948656ca1 |
| SHA256 | c1bf19d73c380f7d05a728b1d32545aa938fab9a4a9967709ef5151f8fec035f |
| SHA512 | e82d07f05da07cfb74637edae4fd85e8ca663a69c5c8a3c836dba4464400bc679e99025c9b71f03cb189f4ab66185ff107271f9194c9d0ccd6c00a4a0ff70496 |