Analysis Overview
SHA256
bc988553bd83266fce4a811ff961ca83a90828210c00dd8ea6cc7529b3a7eb4e
Threat Level: Shows suspicious behavior
The file 9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:31
Reported
2024-06-03 05:33
Platform
win7-20240508-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocNR\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocNR\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUB\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2116 wrote to memory of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | C:\IntelprocNR\adobloc.exe |
| PID 2116 wrote to memory of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | C:\IntelprocNR\adobloc.exe |
| PID 2116 wrote to memory of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | C:\IntelprocNR\adobloc.exe |
| PID 2116 wrote to memory of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | C:\IntelprocNR\adobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe"
C:\IntelprocNR\adobloc.exe
C:\IntelprocNR\adobloc.exe
Network
Files
\IntelprocNR\adobloc.exe
| MD5 | f3d8639701a72707b1fb08b0c89bbf1a |
| SHA1 | 958c5a458fd275c8d754a4df58466f09368beb38 |
| SHA256 | 3fcdef5a4a2577e7388d2156e90ba784b9dbc174f4dcb1fecee9eef8b44f29ae |
| SHA512 | 8874ccf696621252706d127eed063aa45f4dbb2f9bb816a1571863a831baa692a2fa1017819a34e2da5998de1bb919e57df2b424945b4bfe7c826d83a61a6ee4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 98633c3fbe7b47d8f7bbcfd713249cbe |
| SHA1 | 8fdc6cca037e26792f991922216d16c1a7f846f0 |
| SHA256 | f6bff13bf50eed9c0b907c5989e5aa25d1711da74b9b0b27160650e81c953958 |
| SHA512 | 54c4b36da3299ebfe3082eb2aeb46b69b13a782ba7793b4f36ce0a3cae6c10c8cadebc8bce1b9533ccc15fc6399d1cf31443c82208264edccb7a14af4606430f |
C:\KaVBUB\boddevsys.exe
| MD5 | ebc57bec6dda566f04545ee14e9cbe24 |
| SHA1 | cbf9ca37f2ca406cb3fad94d68d5aa33c7ed155e |
| SHA256 | f6c56fddc5d1178df700726b68246b0d7d3898e1f22bfdee9f20da0e567a9cd5 |
| SHA512 | 899eaf628784625b293f527445ad1e80df35f3f93ae02979681342636f224e9e8fa644e7d95439c9e83d3551b981884136ddf8f88f1ad5a0afba525385979f49 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:31
Reported
2024-06-03 05:33
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvUU\abodsys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUU\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax2F\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1572 wrote to memory of 2452 | N/A | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | C:\SysDrvUU\abodsys.exe |
| PID 1572 wrote to memory of 2452 | N/A | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | C:\SysDrvUU\abodsys.exe |
| PID 1572 wrote to memory of 2452 | N/A | C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe | C:\SysDrvUU\abodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d37326efb4943e987d45ede09648cf0_NeikiAnalytics.exe"
C:\SysDrvUU\abodsys.exe
C:\SysDrvUU\abodsys.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\SysDrvUU\abodsys.exe
| MD5 | 675f5ac439143200783e6caae8da96ed |
| SHA1 | 3f95330e46fd517e0b579f330820ba3daa8f79d2 |
| SHA256 | e48338ea993ef9ae8a61c3e6e2e1dec45d581161a38be6124eadc44cf351059e |
| SHA512 | 851d0d2648daa448e198f634f8b2b2de23501ba2f123c571675fec8175cc09182b58c1bf36f2965dd05a4f8539efd70bc3fb0d1a3bfac7f9c1d6f4b5edc50b0a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 62489c0cb01085bf444294444861f7f7 |
| SHA1 | f0fc21d3ac63af7c3b4d5b569155ced379d7d710 |
| SHA256 | 5e20858577dd206ef2e894ed002e7da8b3b3756e102b96809eeef82aa6f6070d |
| SHA512 | dcb6d1b53430032a70fe39ae4410ae3d752d219fede139fdb25318c6ad7c51afb278ded7cc1837ad072e8c6a65d6fed90c7d6ee766ab4f52d3906f9e7839751c |
C:\Galax2F\optixloc.exe
| MD5 | 0af852173048e103a58396cf277b4e37 |
| SHA1 | d0487f89c85f670a82bbd8ff0fc708659a4f6084 |
| SHA256 | d6088b38b76e1a7437a2d08320c52fd969d1abf8674d6acd335d8336dbb3b6b2 |
| SHA512 | 8ff0412e446f1a59cab79d6ce2365d3824e61b67066123aab88bf4a73f89765c191bdc01a9db71a50a2d3b3c608aad928041f5a23f8a5b626a5fc4689cd4a0fb |