Analysis Overview
SHA256
4b893fe9b796bc711f72786faa1212eb22105fb825643abd1ff41f112e5dd14d
Threat Level: Shows suspicious behavior
The file 9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:40
Reported
2024-06-03 05:42
Platform
win7-20240508-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\IntelprocR8\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocR8\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxO5\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\IntelprocR8\devbodsys.exe
C:\IntelprocR8\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | d579ec0c42aa29c757280912b3d2173d |
| SHA1 | 570941bfaebd80b6abd1ed8f5e49301143af1102 |
| SHA256 | 3f387c1da43851b94278227867d230563e83465ffa2592b76ae10c5529250c3f |
| SHA512 | 44b6a29efabf8540ec2e5fdf38287e9b6ff0326c02ac5bdab4df6bbc426b89a7b44951d2ecaaa82f61a50c70302b3030f4a9db993cb479072f967d757e24e4b9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 341207aece3fdcc218d65f0ec79fbc50 |
| SHA1 | 91c26bd6886895fde49ffc067849ed51fb6b12df |
| SHA256 | 31a3c64329f2ca70ffc7ff6f2737f872e0678eb0a20729b4053d9b29ca52e760 |
| SHA512 | 752bc02bda4ef67a4d9b90dce5993f431615868ce75ed68f5757883ada3547bc9a8ceff45c9dea652d66dcd3de571c5be5fc558a8114a2bfbaeb2e8aa33fd4d8 |
C:\IntelprocR8\devbodsys.exe
| MD5 | 77cb9ac04018aedf9d278b1fa49db71a |
| SHA1 | 44f59bbc337149e79b9d373f20858723f0a14132 |
| SHA256 | 309ae8f5532fb82fde6852d82a18ca118b41f42b3874743db2a8602c92f03242 |
| SHA512 | 8a1f0f4b25e793580330fdb2eac05981c52285fc0c7efe2a897196c3b37113824c84f6b41dd80cc941a5c33ff8c823bc23988fb9004d9fc55a702ff55bd095d2 |
C:\GalaxO5\dobxec.exe
| MD5 | 5900250ba074ed77284d62e0890a018a |
| SHA1 | d83a1ad44b0c25175db048ab41e286cf4a0df3e2 |
| SHA256 | a19411bbe2f54ccac8993521bb6c067cec19e607e93b37f5f0d75d387642535c |
| SHA512 | 8e53c958c378b41794a571ff5e050f7b23527abe4b2c90b8c531fcd7dd55f4f6088490f6033237502b6c9302389cf5c1aaeb91e2f087a070fac637bea4131c5b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a6e4508c8b67963edfb21cd2139f3a6b |
| SHA1 | ce696f1ac6e1935a517211f2f4efebda95daaa73 |
| SHA256 | 81ea1ff5f75c9100a55248c84899df7ac8c59d922366f33470e6644d60ff4fa2 |
| SHA512 | e185f2f088a47f0e4b3ff592f7068ca4539ba21bffb9f7c7c794dd8675f33451e4016989090acc1058c44005e4cd340280011b2eb80ee0a6bf232226f5882e28 |
C:\GalaxO5\dobxec.exe
| MD5 | ca03fd6860742a82029891104545ebce |
| SHA1 | bbf18d2ca3a02a9032b55fd98c3721af0a209abf |
| SHA256 | 39fbec56b0bad5154187d12b7dc39dc4e93d21ee93b4f5e6c8ff16e6c9f7aadd |
| SHA512 | b409896f6466b9068babd07debf67ebbef2433e8199f3a30cdb5cc03996bb367610aaf9de91bb19de10ae92f595f3add6e11058effa1e645bff0b3563fa5657c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:40
Reported
2024-06-03 05:42
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
130s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocLC\adobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTQ\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLC\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d65b7377b97a83b5bf897b308d5b800_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocLC\adobec.exe
C:\IntelprocLC\adobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | b322061ac02e2c77351a5ec01395709e |
| SHA1 | e2827170bec33bd9bcc49b9c1f2041aa2366ccca |
| SHA256 | 113bd8da894a72f0a32039b8e2070940da52c2b2899927e465b739d54eba0bc9 |
| SHA512 | 6d60389ca9199322177a089947ab6f0a2135f079fe99579b36e282e25f3003f6e046aed529f00af2a25f1a108641106149726bd17c5f229c66fd81d8600431cd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e3e9f64277b27808758069e549e5c3ff |
| SHA1 | 798fa91432e2c017ae749c774d6032c08a589416 |
| SHA256 | ffa19b771d5b753b206c1ce19f671c6348289539db60db8a2fa3e1976d5676a8 |
| SHA512 | 3990a0e897410e48f954cdc197a86348b22cf82b432c46b94d7a2e2c56293407ecaf587a9c63845d33024487f9340acd11f342b98f8c2dbcba19d7b9a9c28087 |
C:\IntelprocLC\adobec.exe
| MD5 | c1add6aa0fb8b59032175cb77fc9a2f4 |
| SHA1 | 4143e86cc49aa073a32671e8a28b6d78e3fcea7e |
| SHA256 | f1e073e46fb43872f38279d61d510e73c251dd32511dd11530a2575bff5fbc95 |
| SHA512 | b7bd429a8ee28cebb8e491ed3620c6e04c7adb776aede41c87a308d8a5d47ca5fe99d65dbfad098c12b8e8db6adad2bb7b9445233b77b4b98aac658827e5da80 |
C:\IntelprocLC\adobec.exe
| MD5 | 12f7174261ea5cdcfce06a1d89622cc0 |
| SHA1 | 05e87cd6ab337e74c8dfecb52c70c8740869a138 |
| SHA256 | 9e11d6579c3c8c1d20222e6d32e98aaa66af227494f7761dbcf6da77e92317e5 |
| SHA512 | 71c02947031a62b0613ad58dd94e0baca807666ab133c356788d026a92bf155fcc3ad77abee229bbebda79905f57f6605af4f6541fd80ffe5138fa0b71874ff3 |
C:\KaVBTQ\bodasys.exe
| MD5 | 6340504142bc4871d425598bc8b5b9a2 |
| SHA1 | 551b53abb17ce2bff63fa8e83d1ad1f2c156515c |
| SHA256 | fdd1c0c7c43b0dc5c36655098f84664a6775327a9241aa9bc90b14dee055ec47 |
| SHA512 | 5a9bb6b799dc766bb6448faaf2be7883f1ee764a50ba13d719c508d4080d2b988916b17d5ae0f17bf969bd2a2edc592ac699cb2744f4b715a1bcd7c78bf0ad0a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8e261efd16b789f870336765fd3e468d |
| SHA1 | 4deda8d27a886826f0926d5858081c15877c2c96 |
| SHA256 | 98ac581d8c26314e63b7dcdc7e23b3da8fd71b3f915566d2a0e893a31d44f55b |
| SHA512 | 2522bffc9e0461b76e13897b613b2c0607a5473ac44afc12f118f3b360d0b295eca34538b9335529986d98584379995b49a4cfe3d3a935247f9e4f7fc677188b |
C:\KaVBTQ\bodasys.exe
| MD5 | fd2babc44122d6332e4c7d15e58e06b8 |
| SHA1 | 54d28b7165966cdc49829bd9b2a67821c8d7968c |
| SHA256 | 39ab2089113cd8ce044bb3f7a0f237909bbca9f6aadbfb6d936f3c273ec0cd33 |
| SHA512 | dc1cbab7d689efaef94aa761a3a58acb6a5ab4e81faa831ed08fda9cea5866f7353f5e3126d23cb340ee0aa6511433226a96d3d2dbfa218d797b57c73ea43f1b |