Analysis Overview
SHA256
f069a0c13ca5c87218abe3c18c44716cdb39fb37554720dc01264897b4ff2048
Threat Level: Shows suspicious behavior
The file 3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 05:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 05:07
Reported
2024-06-02 05:09
Platform
win7-20240508-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvGD\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6H\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGD\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\SysDrvGD\adobloc.exe
C:\SysDrvGD\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 400df63cbb09dcf7b37fa37a57a40a92 |
| SHA1 | ef98ee73e3d387bf97bc7db85a6d05ee0a196aec |
| SHA256 | 4fb7a8c7497c5f32e1a98a49a404a9024804cb46ff0236bcceea1e37c60e623a |
| SHA512 | 537266d6f6f12a8c4392895c1c745c8b46cd4f9402b27d30b247e8964f76e41be4f31fa2f06a4245a57c27c058dee41b1ee6b7b1c8a1563f8940b7c3f40de953 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e67a20773f54763c2abd62dfd1afbac5 |
| SHA1 | e8aa226f23976a38d29ca80d7cf41732b68d8051 |
| SHA256 | b515e0725c37dff5eb773be0ac3192614b5798d46a352a67f434fff4f11564b7 |
| SHA512 | a8a9cc8d34d2b5aff344d8292dd8b4b30947c2fb0d750dd6d701310f395ece2a270df25043b1adb9e6dfac36576908779e2a364430eb40f9bedec991946d3255 |
C:\SysDrvGD\adobloc.exe
| MD5 | b5f2c4f840e58fe7dbb9929b7828aca4 |
| SHA1 | 292f3bc411f713a0625510f0da6f573b603e353b |
| SHA256 | a57a01e70eae890153ba686815353084d1bc8a65427c447d1e0f17c9b9eeb9a7 |
| SHA512 | da5606726bedfa724640d7eb577495f574c7c04e9e53bd39c2c722cb83753f9be4215dcb48a3f67bf3f4ac39f69dbe285fecd1f8a6302b2146bbbf99b6d50ea0 |
C:\LabZ6H\bodaloc.exe
| MD5 | b4e7073f4802ce1a6bf970b42a524ad2 |
| SHA1 | 2363d714a52bb2439cbf48ccfbbd1e29536cfe3b |
| SHA256 | d0fbb44f041a1019890a0633c8ae4a3715ffc1c135832b18a62aa0d06ca73f50 |
| SHA512 | fd0f9588e92060d284ba69e18e7e9033d138041b51fffc6ad73b5e5fe27f44655982d943550319aaf122dff540611c5e1e511b0ddf12b15f7735200db50404f7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dda27ad32db4a85ccbe27ff6e3fb960e |
| SHA1 | 644175d64f7e41b6fbee0eac161263244247bb0f |
| SHA256 | 22327df47c7c578c798729697f9a92130698ecb529a8bee8d250ec056d20184a |
| SHA512 | 4b95424abafb8d8446a447c134c432963130b14d056c373a5ff4df8d949e24dca74e79aa496e063673665f5043f780f834e8b7e8a8f2859b03026ce53e1057c5 |
C:\LabZ6H\bodaloc.exe
| MD5 | 3746139f59df2bf83446ffc0f4bdde87 |
| SHA1 | d76e0ddf5f3e0c51b9f0f7cca0a4558e1f2c1b53 |
| SHA256 | 777e02d38f089426e9d0fed1259c5aebdaec2b25b681cdf5e72bed17a9d27574 |
| SHA512 | 43628512790448acb49114e85043e36e3b28284974c164c04007ee873968ae69108ae3d35a9f26ad15a1f38add64ab76f51875d21ab376a3c8c2c910b08847c0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 05:07
Reported
2024-06-02 05:09
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\IntelprocYL\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYL\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZO2\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c3df56fce82282df4d0f01614375ee0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\IntelprocYL\devoptisys.exe
C:\IntelprocYL\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | deb623d98fcfd9f39321ad81e817eeeb |
| SHA1 | aafd974fa45375b560b29bf5ae6a08e83dea83be |
| SHA256 | 703d063f3f7bc93514e3efa7118058ddb23d874e08653955e89d4952557fab7d |
| SHA512 | 02d45457cbefed988bd9c77dce12749cf3a717024b44c50d395c82b093579c93e44a7f26563a33cab533cc7a6f29b6932506d821fb577d829efd8475ffb63e54 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c6b70840996d34cd20da84b7d85908aa |
| SHA1 | d30f9ffabb2c1eb2cdb7c0853a97da6a68be030b |
| SHA256 | 9a1e413db6a9857f43d6ccfaea751e074cb405732fb396fd002f25730b95273e |
| SHA512 | 55d9717ccc7cf5eeb8296b7cd67894e06bfca941d65a5e56f5ccf03c7202fe262ce4c1bcda2c47989688c9c0bfd5d0c722bde1ef515ba4a45106a96d3312d1f1 |
C:\IntelprocYL\devoptisys.exe
| MD5 | 8cc47dd48e8dab707f7311aa39b107b9 |
| SHA1 | 25d4492f5c199a445dbe0ae730b54ff9e371824c |
| SHA256 | f7a6c5d7d14486c67f25dd7ced94afb16b2f7578390325a725c0e534bea5cc39 |
| SHA512 | fa70c94cce92175ee4590fbd981cfd73130416232145eddd07b5d95a1a09637f1bce0358c655fac3eeb72ce39e7d6f2aa630d3c9a93df478bba3bf3f4a7389a0 |
C:\LabZO2\boddevsys.exe
| MD5 | 2456e825ceeedb20f71206165d49e947 |
| SHA1 | 890f9632fef2a6bf43a9dfd735746c09de658961 |
| SHA256 | bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606 |
| SHA512 | 970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a012c1e96f087446e3321d83eb909b17 |
| SHA1 | 6fcb720c4205706e98604fbe61113077abbb7311 |
| SHA256 | e4daf790e13b6fe0e40083e5c5449af38e6d9e53762bc1f6133058c951196406 |
| SHA512 | 144101c645da222c0f073a8943a4aa8a01f55eb4021b2402212680721a1e53f7f57617a42b34cbb3e12c98d35e48e7017f89b836313e2db76032e4e7b84ccc78 |
C:\LabZO2\boddevsys.exe
| MD5 | b73e8bf8c333a1ad05e6a8f5c9374821 |
| SHA1 | e2efd773b0f6fb7c2cf3de19961d35c76f54ce2f |
| SHA256 | 6f833963eaf072bc92fdd5bc9e2ad3178a7f9a8778073f5bab30bfccfb4184e8 |
| SHA512 | f201f5e9b649447f6d65bfd89655b4d69a70e77b2cf24f709e3f27dd9a72d347e5d1d29d6c52a640ca7cf0c4843f41d7211e4c5c2110366a46ca786c0eb6f4ac |