Analysis Overview
SHA256
ea22713645193c6c86485085e02d06bca401fb93f6eeb5a4b3cd2443efffc752
Threat Level: Shows suspicious behavior
The file 08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:06
Reported
2024-06-03 22:08
Platform
win7-20240221-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesMF\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMF\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ7\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | C:\FilesMF\xdobsys.exe |
| PID 2240 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | C:\FilesMF\xdobsys.exe |
| PID 2240 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | C:\FilesMF\xdobsys.exe |
| PID 2240 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | C:\FilesMF\xdobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe"
C:\FilesMF\xdobsys.exe
C:\FilesMF\xdobsys.exe
Network
Files
\FilesMF\xdobsys.exe
| MD5 | e36901349bc00cd62b753921b3173b94 |
| SHA1 | 66d09aef1fe3c480008d57d0d20a604e3b755caf |
| SHA256 | 8000596c63ea04477d79e65d998fa13c8d60a7c82f46b50a462ddfb2bbc5e24a |
| SHA512 | 4e304d3cebe7c7e926a2c7bfa06a5d5b6423d57a3270660d739c71d112639282d647969969a78e4200f4097472968c247b2e29a6825f370f2f05514dca3f41e0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3eb934c3f4cb9775b5f236f8841c38d0 |
| SHA1 | b9f5f8b24ae25aa2542d2ef48e3279b6ca8d421d |
| SHA256 | e779d41f912f1e337ea545d61d47a9d28355e882a93aab8623ba2136afb3d3d3 |
| SHA512 | b43c356b8dd1a3165f2a9ada03126b6e6859ac8bc84b42e64776d3e1626f65235e6821ed7220cac333c8112b0f7bbf07857d787a758acbd94115650a22678045 |
C:\GalaxZ7\dobasys.exe
| MD5 | dc4068b2ae7bd27f2c470e5a5ce2afdf |
| SHA1 | be1f9b0d3e60fdfa1c170c336f1088d7b3265dff |
| SHA256 | 3a0f341b971bbb9efbcee9df8008a7b828fe0870b29a6e4985d19e3a7933f406 |
| SHA512 | b557ab2831d52a3e194fb77bacf1ce5a9f590010993bcfc3d50e78c0751935604b6e7e7522d8654bf57ae96c3d79af1718437a60c47f4cf05ca1d29dcbcc4b85 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:06
Reported
2024-06-03 22:08
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesB0\devbodloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesB0\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5E\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4456 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | C:\FilesB0\devbodloc.exe |
| PID 4456 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | C:\FilesB0\devbodloc.exe |
| PID 4456 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe | C:\FilesB0\devbodloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08d0e0a4794a44342633fe5b7c18d690_NeikiAnalytics.exe"
C:\FilesB0\devbodloc.exe
C:\FilesB0\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
C:\FilesB0\devbodloc.exe
| MD5 | 768caf11d81a6b16c306a55f4b72afb0 |
| SHA1 | bdd8111fbb941ca906496939d88b40eebe385e8f |
| SHA256 | f446f277b5f9a15f40a4ea67f5d88dd1fe0408f2af6e93113a3d72dd641f2036 |
| SHA512 | b8ec4aa9a0670e79792e7faaf9705b034c67e06c770838e55bdad80b510dc75335b2249d9d5646dd4576f5fa8f66e5b1ccfd71747e2ea74c7fb22b8dc07e2f70 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0a354a5d2a242a9c2d11736ec044bfb3 |
| SHA1 | 384c289d36939c566b8c42eb0e633d3361e3db57 |
| SHA256 | b8cfc9b9ab5034d1c1fe2b1f7786ae22333c7776d5c78497568c860636d807b2 |
| SHA512 | 47f2ed67e9a18c0ccb4c64ce5c7ecabbde3e90343f4fe85810a240ed54a0d02897e23690e74fbf7586bc3f446c346d8d19c0237e093db7185404abb0ef4facc5 |
C:\KaVB5E\dobdevec.exe
| MD5 | f96740b10a672b19179ceb0d5638ddcb |
| SHA1 | 25ce26a19fecc0f38fe47a898dd20dcc30c9d101 |
| SHA256 | 032e86cb1c31314321b87a48e261dca870a472f357e23b5ad37f72e1aa576b5b |
| SHA512 | d287192d141698c119b77de572f70c208677f8d961685894b9a3acd58a532e4edeb259d291a19fe5b37ae92b46f4b1d787eca19941d2d8218cd8348d9704991c |