Analysis Overview
SHA256
0380232dbeadc88e7dd49a6682c74a9876d560eace983f94236d69059c7e367f
Threat Level: Shows suspicious behavior
The file 9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:38
Reported
2024-06-03 05:40
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\UserDotG2\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotG2\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidC4\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\UserDotG2\adobloc.exe
C:\UserDotG2\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 648bbbfc26b0353d551b8c378348ccdf |
| SHA1 | 99c022df045b34f349bc7bcfe2566ec41b174072 |
| SHA256 | 8d3cf0381201b7852b517bb9df19d5ca25dff683610e85d0e5f165eb62e3a36c |
| SHA512 | f838aa28756ec41a3ce89e52a17612cc2d7c9157fe186e1914f9722c15b8a016c1dec2e2197b0455b6d51f299c0cdce985b14c80752513d1ddc6e377b764ab8d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0f7a062f8ea995bb11ae87b1241bb0e7 |
| SHA1 | 78556408ed1096351a575905aea5b7a76b7a9d8e |
| SHA256 | f2779a45dd4279bbf3d5963a705b35a01c0aa48f68180283ad2fb8db9d125b3c |
| SHA512 | b848a9b13a26613a200d6f7617caafab3b5bbebc56a1e551871a6dac8f15dc5430ee2851faf0a238adde4171e08b93a2a2f23e9b3b9356a844ba6d8eb4871336 |
C:\UserDotG2\adobloc.exe
| MD5 | 11c6f7b491242aa462935a3ef78b171e |
| SHA1 | 4b01c616a153265345df52d1910370733932e0a8 |
| SHA256 | c13277708cbe461da4c9a1b9c7d16ebc29f1b173c7ca6b0f896ad6abb8521cae |
| SHA512 | c296b3562f1c108d2098c305de3a819b335447fcbaa79dc452ccd5ec06053a10c1a5122e187fe85b58604c2101695917a2c0bde136b7f674940723b8939afe4a |
C:\VidC4\dobdevsys.exe
| MD5 | 9633205f6fb606065872fa55feb79034 |
| SHA1 | 9c54f73a00bb4588979196626fd55b8526a9db5b |
| SHA256 | 5e5067d38d9e7417c593d2a31629c251f9dd2d945ede02ae0d89e317a17e6246 |
| SHA512 | d0dad4a65346563ff0f753701d0dc6faeb14fbf149a433ea3a9842b23f0e193adb3f11e554af5b6b2383dac7d18bb38bef720b1a548cda8014d12b4c6d6fa516 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 82b1b9f878a0e9b95503e771fa2a2003 |
| SHA1 | f49f8d13356f507ebf1a0f7191549b4f998fc9fe |
| SHA256 | ff65f77135ce7aaba9ba6cf45d735e4df788313bb17ecd6f5c9c32836f370cc7 |
| SHA512 | d511b8d22cbd4c22161193a684e2d3b6715ddd7cc89eba623458144e164f66c2aadb4bcf440b50fcf609d3490b5e62d02e2fc2710d6f150e37b52e4e28e2762f |
C:\VidC4\dobdevsys.exe
| MD5 | a8ebe1833e05952416c24df382357d31 |
| SHA1 | 2f6f32ed1e1720c06d0c6a8d426801fbb8bbfec0 |
| SHA256 | 53d29f4aacdab3ba1d431238ec5f9e2374a2a1579c244465cac03cb5c339d6e3 |
| SHA512 | cf94a1943e653e5d28d11033376d879373e2f78d2e39e034fdc4060ab6e05c696e152528ba65d9680c069ede44a1448fb87ef3c917bbf9ff0007795e56a16286 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:38
Reported
2024-06-03 05:40
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
130s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\Intelproc5K\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5K\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxFH\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d5c0808f0a8eb112f4ce760ed2aa9f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\Intelproc5K\adobloc.exe
C:\Intelproc5K\adobloc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | c9ed07124c6fdd005abd086c419e5c92 |
| SHA1 | 0e6a17b0e0a4511212a1e3282b11ee8339784309 |
| SHA256 | a974fa195b133e305d1b1879a05c4578f22b057e4fa9abdfcb87660bf850428e |
| SHA512 | 2fb60dec39c66827fabbc68677a9e6ce9c1d19bcc0fabb3bb10393e74c6dfa2521ca6f3c51b7b169474fae3ef83e27c8bbc95c0dafbd5b65f0ce73265d6bdbbc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | df37aed07976dc0b25dfac7beb8cc45c |
| SHA1 | 2fe2e045eee4186739f556f9b1dbcee2c8d66900 |
| SHA256 | 4111f43db30fa882600b003d64d318995c87edbcff6951bc1be313731adf483b |
| SHA512 | e846be3ced9ee952142c78552e93899c51242b0cd023843f291d1f6018a5fb637247904bf0694866562593e833a0f27fd5cd2aeee5adea7fcc446ee76a646713 |
C:\Intelproc5K\adobloc.exe
| MD5 | f1e5f149efadcbf4afaa1992e07765ba |
| SHA1 | d94e764c81081c55e6f5ebc65c5639930eb86bb6 |
| SHA256 | 7269ee4ba5b63ce71e9721865c8de8696df4cb2c0c09e5c4f2ebf1fe670ba1bc |
| SHA512 | 31087278344054c969eea5bf8123a1dd578c27612adabb511c6db3623c1c0604e35abde9f1befbd234a84d30b5f87666e1e4a10cc8618f4102afdd36f2625516 |
C:\GalaxFH\bodaec.exe
| MD5 | f5bc7ea8c794e6c5b72ab6abae620a45 |
| SHA1 | eba964385d9783283b1e6546b7beb736c8ca42a4 |
| SHA256 | 08ea013d6b9a53c21e014e886427827915992c95f5f8015db312a4b369862758 |
| SHA512 | 9aff61d654ec24f96122c36e87117b59e6853aa6c0b282e474dfec2c62dc160a14dbc26faa2b908ec8114b092a0ef468e379c5c661fe3bdd216a96ca04f560d9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e92d95166461c11a5e00305671ce87cb |
| SHA1 | 28048d21767b4e77a07c303ccf0e69d3d852a683 |
| SHA256 | a0f03e133b333ccbc52c08180af754c0a49d447b99dc3aa18f77256199cb16d2 |
| SHA512 | 5cb6582bfd4cee799e16eea40cbf2374b5f41e6d014c5cd78365d9913cfa403a78c888365cc0c691cdf561318633181f1fa258c7922af01f3d5c7bf9a7a901f4 |
C:\GalaxFH\bodaec.exe
| MD5 | a29f3cc4ff289c2fb7c39f965f4fc643 |
| SHA1 | 80ec429b2ceeb324430391ab43fe9050aa0213e3 |
| SHA256 | c762f5e51e232b733a044c3d01784238c45ef2f62bbfa1f73f9848872b1fef56 |
| SHA512 | 4d6b6c6d3e95e3e795aded48f95155b108da9c242ad15acb826e05b394fc78ac2b38796334dda3513c53c222d464b7650f4678a4b88c239cfee4f602074742ce |