Analysis Overview
SHA256
6bcdb3998a22cf14313118fbb34cfefbc162d7459373c0d933624c74a911e895
Threat Level: Shows suspicious behavior
The file 9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:28
Reported
2024-06-03 06:31
Platform
win7-20240215-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\UserDotCG\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCG\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKF\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\UserDotCG\xbodec.exe
C:\UserDotCG\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | c4eb98bf97f66d1052d7c0f4bbdf089d |
| SHA1 | 316f109a71c99aec4886d66c6f2ca67bb7b8da9c |
| SHA256 | 2e03db3caef02fcef4896f298669014983a41fb5a963a0c2804c67a2c909c6a3 |
| SHA512 | ef0e1abead8a13233878b6f359f5a15f1365b18905d11786fde484ab9c61b192f44f19b13318f08caa83c14e14555042a5af0b40048387f3dd34cd228fd540b8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8f08c6096469974b21afe15cddb6d793 |
| SHA1 | 62f177d878eef50b21870db626aadf8c55f5da70 |
| SHA256 | efd0718aecfcb1f279f13c775226abf4df9ea963e1a2f4f978d4e3bb8b6af11a |
| SHA512 | efdffdad9f42d4a2d761ca1a81713275760ffde76cb64c93c1a35c6830a1fa609c70f9ec7b920951f6c911f42abf59fdf7572b3b482c9d9a528b04368b6dda11 |
C:\UserDotCG\xbodec.exe
| MD5 | 69a03c2b75ee2146527e2d5cd525657c |
| SHA1 | 05e4e6a9388416eef89c2e9e841021a2ef8b3a8a |
| SHA256 | d3d8663b7a01b280ec981309d03eb377d693a734e8ef71f828641e105a8aee9d |
| SHA512 | 90adb8a8c388309592058848665e26ecf8f30532d7cf438f85326ef4206f5f0d9148c23addce169f3a898ca1c04910e57f6ab0f81de80d230ecaee965a5b66ba |
C:\KaVBKF\optixec.exe
| MD5 | 2e6ed5879adc9116d56bd23593ff7a42 |
| SHA1 | 70337e0a527ee396d0ab858a7f907326084621b7 |
| SHA256 | 50f18fb293d18fe7b32867c150d79364796eb778ef4982956cae1d0c8c3a0dfc |
| SHA512 | 8cceb761eb368e18b60a8387cef2459024e117cfc315c2e7c453ca321f6619a12aff8cf5832cd5ba625c3e22628893db8ed7d834ae63d5a075cac360ecbdec6a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 02eca9c19b712cb217858745bea9a4ba |
| SHA1 | 4c191464e9ff4afc151580276d963dafced14464 |
| SHA256 | 5a83c49d902fe3b48ebd71570bff388a04f0b7fd0e899db9286bd02fc0f70cb0 |
| SHA512 | 748ee91524726e38e230e85b9f7b029f2b067cb9e3cad16d04e1cb0896af60150bbdaa5987f090104bed014da5a7e460df26bc8e231db6cd3460c19c33bfef64 |
C:\KaVBKF\optixec.exe
| MD5 | 63be0e3ea3ebf9c4ce2ce2bc3885b749 |
| SHA1 | 7937d449ef74d826b57d48f7555377674bb5122e |
| SHA256 | fac00e709ffee4bd075037382b512102d675cf2d106e4227dccd743493fe51fc |
| SHA512 | e574e0a162cce50b51b1269d8adcda2e7e56616e9775b47b60ab0aa769db7ad832bf5816d8a6df208d8b2ed76786c10a1c329fdeb051d538548c5e3d225a4dff |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:28
Reported
2024-06-03 06:31
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\Adobe5I\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5I\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUH\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ea832b5bceb239e61b159263d42bf50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\Adobe5I\xdobsys.exe
C:\Adobe5I\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | e2ef23b8501946b14d1f07d9e30ac6f1 |
| SHA1 | d9e77c3e8d180ffe73c61515ab0f753893667fbe |
| SHA256 | e1ed98b293d6ae5ef31a5c3a64b4c7389ce6d70a7ed0b53482b818b822fab6d7 |
| SHA512 | 09fbafcae73d8f0089de3b52153c98b1efd49ad0cfdef34d623d3a66ff58b9a71dc3f5023c571d6d44fd272f5c9791e46808c29c7ca242c25805107fea6b9eca |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 09f2e863f8b8bf40db12a026394294b1 |
| SHA1 | ba07902657ca60aaec6f5dca5c4cd5b6b477fc08 |
| SHA256 | 1d971c5af504ba08a98639790fe79ee73b37dd2e2c0fbe0a5d43e0e69c0b0d00 |
| SHA512 | a5ba1147973ecfbc6cd7963491c3ce4ee80b6d0affa84a090488d2392ccc0b0fd707242f25d96b93cac56a3438c7fe5256eaee347bf6209c1ff2c8d9f0487033 |
C:\Adobe5I\xdobsys.exe
| MD5 | e206bdf01a3697585baf79f0041b360d |
| SHA1 | 8af4c01a899d69f5b7028e55cc143ccdb98cd839 |
| SHA256 | 3d1d55d77fe77d09941339eb18404bb057a8bf8787ddbf4ee630f44d362f9501 |
| SHA512 | d9d19a68c59901b3a47cf2527c4cf9c06bbe0e4be9b80af475509712d0d996cc6b63d4f71641a7bfca0717159c95990ae02e0cffc8617117ca335e19ac4b0a6e |
C:\Adobe5I\xdobsys.exe
| MD5 | e95d844b207473d0aa84e36b59c76c32 |
| SHA1 | 1129ac37c316943316d5e8888e8ae70a10979838 |
| SHA256 | 171b75c93cd9eb3f6e8a1db758b973992c7bdbd6b3a3326228ca8f2a04c18819 |
| SHA512 | a6b9b858ba4f2e6206270b24ddf957d28f4aeadebe9702c1fd147a029fad07d5c80e2423b7d71dda4cd2c3bc632ff90fd9af43cda70c19fe891fb2692af44d50 |
C:\KaVBUH\dobdevloc.exe
| MD5 | 9d8e28197f33df66823c2ba858eaaa7e |
| SHA1 | 48f4b289f359eeccf152be5d19d7c4006b4ecd67 |
| SHA256 | 65380dd7e038a2f8861675197a4c6932f96e4bc532cbf7e7deec137ed5b08865 |
| SHA512 | 1a1d10aa5e90b551796abf2fe0118fc87aaad7081df59536268957e90e3c072ae5208c385357186286de2763a1ef55d05c1afd5c4bce60ad3cda63cc8bdea47b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b9358f0ebdd7c61fe79d8f4483d86a37 |
| SHA1 | f49b8290c5097cbfe1eaa999ebeeeb66cbe031d6 |
| SHA256 | 89cecb5a381f42b7e0a1d486b2e0030c8713867909a36e5463575560814c8bd4 |
| SHA512 | 50cd555711ebbb04c0e3ff1a6be50a97a3c6b6f4f1f3824b87a825c60df029829bbdc65041fc7b1804ba25f74850b1d17966c1292f71a6b7b35a6fccfc8165ba |
C:\KaVBUH\dobdevloc.exe
| MD5 | 4e63d64e52679ec7372c3c0abc75e83c |
| SHA1 | 58c794beac2f26f3ad5e98bb421606cfa4e78954 |
| SHA256 | f199559b49c644bae19e5e122c89d1898144b34d487f306cf70338e215253c81 |
| SHA512 | b8148ac603ce5c8a628dc9b99e39534ff294738b169ecfba3d988069995cf0bff723f3da0456d9d71f474f0bfe79385883377a07566b209b94cf0a8026b36301 |