Analysis Overview
SHA256
2592cccfbaae2a195af5035ecacf092a2d01b491bf02676ac26589efca2a5243
Threat Level: Shows suspicious behavior
The file 9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:34
Reported
2024-06-03 05:37
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\AdobeGD\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGD\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBQ\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\AdobeGD\devoptiloc.exe
C:\AdobeGD\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 87018a211d52b088ac9f8c58f8c6123c |
| SHA1 | 34ca91305f6034bb56d5bec8a657c7b6bff915dc |
| SHA256 | 5875af42145dd9b59460b890db6b6f2ebef4f8a927062561a69fc1601d7e161e |
| SHA512 | 52908b5763589d61b3471d87adac6c6f7a5f816f7ad55c692e38b9017e336f814560c779afe4fdf4be61cff6e094eccce5bdf7aa270aa442067e5a9bfb460100 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4722a849310018b6fa60bc71842b0e32 |
| SHA1 | b8a691927429a7c7e2676ae3688ce93387f691f7 |
| SHA256 | 007804d6da7afda31bea16d15e6446d0643d8056421d356a362b8fcbf41ae036 |
| SHA512 | 7a175dc9b5d6d73bbef36d13b2b5a75abbb11c3d82375f2e747524c63430372ee778f6a8da2ae2ff80b7838bc58a1be13f3e8ee36ee21ed5f5b78b98d9b51f69 |
C:\AdobeGD\devoptiloc.exe
| MD5 | 041de19463513d412dedbcb9b654d5b9 |
| SHA1 | bf3edb9ab6deae6642ad1dd2d32353ba205c929c |
| SHA256 | 5499e8bd08ed16b244370d84f108ba0cafe6afd7bb93348b9b2950206825da3e |
| SHA512 | 6c393685b7da9ec1422514688b4167a5b3db1afd797d84b15c7f37fe6bfe3990e63a8bd04964e025435cc24498e036adab1c4da04ffe4aa8c1f60db247c7930c |
C:\AdobeGD\devoptiloc.exe
| MD5 | 9c8a422dd3e2506041417004ad901135 |
| SHA1 | d5b5efe873dde3e177cfd4c14e1485bcabc28f7c |
| SHA256 | 64b6b5944cfabed098ba9429ca59a141de3c3db18d4f246422077c74b5bb56fb |
| SHA512 | 904f11e07d002f1c9b7e0306dc94be8aa7f25d3c5a81808e348e418e1e98b482236a6ff9e9d006fdd2234d1abf548e0bc6111bd2088445c7e7b1657b43ca2965 |
C:\GalaxBQ\optidevloc.exe
| MD5 | 6c08f5f0a583faaa334c90bbbad1bc05 |
| SHA1 | e700c789c43efab96badeb0caf6c23b8d42af57e |
| SHA256 | 9d7df895417e18dd2736e02f4793e0e8c22e8856f8cfc2c7877feb124ef4897e |
| SHA512 | 7feb7683c22493f747b44abca1a52cb34f628148bd139d3636414ff8dbd7727789ee11da88edd589cf2c3696f4425c3e916c8e392104d7520a9b7d8fa3345fe8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f3bf59748798b0e0ab776c7d7c617423 |
| SHA1 | 57b0bed10cc179c3837627894224da9601f04d2c |
| SHA256 | dbb44fccf5577577c6f9493de6e77bf57f672924a2c9f413aba60556566128d0 |
| SHA512 | cfce0c8d2d7e48497fcadbed1a8917be6b3aeea2a4f2da9fae20c13f1aca2933e624252f571a04b40abec9da984b783a5edc488c0ed7115de051f5c1441fcff4 |
C:\GalaxBQ\optidevloc.exe
| MD5 | db60924fdcd457c1cfbb399f4fc7d13e |
| SHA1 | d070b431d1d7bd91a603447a3c78fcc8ace5cce5 |
| SHA256 | 4429e3955e01bb133cc7fced719828aa437cc75c681979fc8b27d81367755141 |
| SHA512 | 613a81fbc3927ed714f83a41991dd251fb59943888164f1fcd6caf694f47f320404621d6fa417fb36589b5b3b73895dfcdc2271be07951fe70203172d78e86c8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:34
Reported
2024-06-03 05:37
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\UserDot12\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot12\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxNH\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d4ae5ae39aa1c037118fa15b464dc50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\UserDot12\abodec.exe
C:\UserDot12\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 9836c2a9c475ef9e6f684ec571fa678b |
| SHA1 | f77be7cc7963ba1f0fb410a4ce859d8d33e8e364 |
| SHA256 | 6c4b2f732fc6fa6a6038cf9375392d880b2647dcaf8d958de2f71d0fbae0da11 |
| SHA512 | 506f29e81b5c49b331023347eee54367eb7ef35ed469c09397b73e4394e5db69f4e7f485273e328d04601032469975d8bd73c0120129097f3b11265aeaf40d70 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1499d50a9c97f229f6f53046d99bc6c9 |
| SHA1 | 751643f2376fc6d588be80b62dca196fe2c2d566 |
| SHA256 | 8394145971bdfa4ef1ba3ade296905e5f4168f5477fbc30aa3c066d4fc8c2fc5 |
| SHA512 | 98de345b5124e6b0dd3537f49ae58e6af3fca72c1ac45712ac6b6b318a31dc2857a70626f67a49fba46062babda678827ff68bc74c4fe8caa5cdfdc07d3f689d |
C:\UserDot12\abodec.exe
| MD5 | c7cb620e475af87fa807834e7be637a3 |
| SHA1 | 45d18155ab6664e924077495edab38c73e85b568 |
| SHA256 | bf68beac71d89859e232caa6785e23fe10d423ae92f46eb343a8261a7d51d7a0 |
| SHA512 | 0a1eedfce79d696c9d3d663fc89ad85b2c00349f7088ebf510d3021236c6e02de99fc6cac1c7fe79a299362d4b0db446c050450a0f0377d339e6f8c2d4da1504 |
C:\GalaxNH\bodxsys.exe
| MD5 | 9248625cc2eb983215a5cebf4640ba47 |
| SHA1 | 9d1afbbbc4bc5efa31db298892b3e795315e3803 |
| SHA256 | 782c90598a6c938f2b249fdbe0019b9cd2da316637d4e750170dd258c527647d |
| SHA512 | 4c37ec9eb3ea55cc04ae4884e38de624c1054e35f430af009ff2eb8c3822ebc5a6470d4a254b782183fccd869a26ad09d2dcf7cf987a095d30af804cec9a7e40 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b06f698d243fc2c5776aa1622a8266f0 |
| SHA1 | 30149de7a7c8037bdc4c44c62477d7106d654d66 |
| SHA256 | 5e2bebf9efdc1a7eee2737ce1a963560197199d437141c54b81c182205cd4eef |
| SHA512 | 07401443b8bd4a60e40422c9d739e83d7dbed99d084fed4fe06e0f9be8ec8cd613faffff5ba2afd8c770603b45f75246e658d71827a139598d9b28eeaeb59891 |
C:\GalaxNH\bodxsys.exe
| MD5 | 33ecbbc71cb0f5fe6e00e970327721df |
| SHA1 | 39bd3fae9f1adab08a41becb2881b34d09cfd595 |
| SHA256 | 70f38bdbcec215cd5ab203f358ae1052440d21634d2e2fd590ebcdc43bbbdbd3 |
| SHA512 | 8dbc8251ddb94311d0ba7b0845390deec9b91b6d257cde4916fa4d5fa16f3e01722c2d078826e9f90278bc30addd432ce7ff74b61fdbfb987d07080582e6dee5 |