Analysis Overview
SHA256
7c6a9bb0dd9c4035f896fbb94ad887181e3069af5aed487a5c4f7c9a3cac8d6b
Threat Level: Shows suspicious behavior
The file 9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:15
Reported
2024-06-03 05:17
Platform
win7-20240220-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrv4W\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAR\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4W\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2784 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | C:\SysDrv4W\xdobec.exe |
| PID 2784 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | C:\SysDrv4W\xdobec.exe |
| PID 2784 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | C:\SysDrv4W\xdobec.exe |
| PID 2784 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | C:\SysDrv4W\xdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe"
C:\SysDrv4W\xdobec.exe
C:\SysDrv4W\xdobec.exe
Network
Files
\SysDrv4W\xdobec.exe
| MD5 | 0cd96f99918116b2b45dce2bb72610d4 |
| SHA1 | d37e22210bc0f14a9a2d95d3ae3b0b239c1c2a8e |
| SHA256 | d79073b36b89c8793f00cb165f15ec497f63f35ce44974bac9f1bdfab58ff181 |
| SHA512 | ade5f362fd866fd17f8f5534a79463af96dff93041bd56efd5da39a02e562545ecbde4202530ad47183337397f55a263fecf062880f92bb481b1fee9df18b31f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ed5c1bda185bfa301640d1e52635104c |
| SHA1 | 121b2cf452de0b2af70f8965f859ad999c1d4661 |
| SHA256 | 2a0b6c3a8f570c458b294c2e9de7ed486eb024e8baba610a922e615a6319171e |
| SHA512 | c818479662741cf73f052a71cd8abad65963ccd71752fc3b7a40aab5accf0ef06143305c5345fadbd8bd3e06aa4a44816885d547d0dddbc8e15fae707f3a3697 |
C:\GalaxAR\optialoc.exe
| MD5 | cc4ee5fb967e3a7965a3017934e038bd |
| SHA1 | b6be3a3741fbb444fd795a53e73e6680f05c330f |
| SHA256 | a16cb12b80b8cd15184b88e9faaccc784bf0367f2f48ec99f951a5a31b1ebeb0 |
| SHA512 | 31f15d231837caca7efeff829cacc59665579fe85011e92293c59b151dd40e198f15f29c99c23fd0f6bb34ce16ba2624e6ccf87fc065caa0448635c2d66b1a4d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:15
Reported
2024-06-03 05:17
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocCL\devbodsys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVC\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCL\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4352 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | C:\IntelprocCL\devbodsys.exe |
| PID 4352 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | C:\IntelprocCL\devbodsys.exe |
| PID 4352 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe | C:\IntelprocCL\devbodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cb30238bfcaa1f50efab21066f05ef0_NeikiAnalytics.exe"
C:\IntelprocCL\devbodsys.exe
C:\IntelprocCL\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
C:\IntelprocCL\devbodsys.exe
| MD5 | 7cf035ce3989c98a39840c078fa0475c |
| SHA1 | 8b2927e2ae7566828aa2ced58afb1184625bdc0f |
| SHA256 | 01e0d5f476022e72d32028043edffc7e42a11b11d31bda0d6803df6e31fb94d9 |
| SHA512 | dc7492c873eda497dabcce8a6d1217f77787025cbab989fe5c6bc4f06554f86692e1259daaf361482b43344f81eca2f3bbe5727cbaa869ef4dc58a1f42ebeb12 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 14c35c180c0486d4bbdb38fbafecc384 |
| SHA1 | efd1d96f4d16d6d00f440ae455985c2807db8eca |
| SHA256 | f24419d88e54aa60d449d178d9f5ccce7550eb898a54e72357922cd81ec9cc1a |
| SHA512 | 985e43ef0e53bd44c4951fbc4a06521384fe8ed93d530fbc625bd8934bd05b7d17665f7f8433db0d576fc46375ba27a91c0ccfd5474f9733ff61d888b613a34d |
C:\LabZVC\boddevsys.exe
| MD5 | 026b5b3bccf5ba08eba11a75edf428a9 |
| SHA1 | 985adb24f126dd515a736f15e0e0ef950d16074d |
| SHA256 | 16b103bb168152cc04e4001d70f47793753bccb663ae111930c81e7aeb1b3b74 |
| SHA512 | cb6f00bffd6b94341601e36d76a2ab6cf2be99277668d045a37d5a02cc79635fb16b795cbae3578a7d30d2f3cb655c7bdca28503b445e3868e929c2854409c6e |