Analysis Overview
SHA256
91919bb68614f3f0efd5035ecedd225598fdffaebdcbb5d411fec6a4d6b393f5
Threat Level: Shows suspicious behavior
The file 9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:51
Reported
2024-06-03 05:53
Platform
win7-20231129-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeMV\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMV\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxC4\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | C:\AdobeMV\xdobec.exe |
| PID 2332 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | C:\AdobeMV\xdobec.exe |
| PID 2332 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | C:\AdobeMV\xdobec.exe |
| PID 2332 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | C:\AdobeMV\xdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe"
C:\AdobeMV\xdobec.exe
C:\AdobeMV\xdobec.exe
Network
Files
\AdobeMV\xdobec.exe
| MD5 | d4d3f76620c270834cde5eff10dd2646 |
| SHA1 | 7527290c9dce10e7e26819c27976e7d5c0f54470 |
| SHA256 | c453b3e3cf838a67db13915bebc560859d1ee760e78917840866c438da90c15e |
| SHA512 | 1ad02a462515d47f33a1a258c7290191f8f365332b70172b9ab3ff9044513d6ea6662444a66c5e7aab8ee051c7672536885d290f6c1d16455326015b2291f90e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f53ce8b01978903940a74513917f831a |
| SHA1 | dc099f01f699b3f25ce544966c75e377923804f0 |
| SHA256 | 7491ad9b05b30d840ca8c83bd86556f2c3a3e891d77252d15935b23ccb494f1e |
| SHA512 | b8e17399e8b7a0030c2e8ac33b1a58f1e459d8d4fcf09bfd5a68df36d47cbd86148d6036bc8a7d0a7603e387532b797baba319b1fcf9aaf9b12ccd0eb44d195f |
C:\GalaxC4\bodaec.exe
| MD5 | e82b88135480ada02f7eaaea5741c640 |
| SHA1 | b239938802309c3392cfd09358bf0c324a00676f |
| SHA256 | d3a8442aed6c45373e6b2dda368a5c533e029982f5a213123a2d41e2bb2a5127 |
| SHA512 | 3515146018a6c99d212a2e783ae050df1e64f3c11b115ef5c3cb32695388c0e2985c1159f5d2eba28d32b5fab99b42b45a416b68679a0ccbcc5965afb323e7bf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:51
Reported
2024-06-03 05:53
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotC1\devbodloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFT\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotC1\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | C:\UserDotC1\devbodloc.exe |
| PID 2360 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | C:\UserDotC1\devbodloc.exe |
| PID 2360 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe | C:\UserDotC1\devbodloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9dae544afa273f030c4ed8c43a853a70_NeikiAnalytics.exe"
C:\UserDotC1\devbodloc.exe
C:\UserDotC1\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\UserDotC1\devbodloc.exe
| MD5 | 6dd30a000464019f3ae13a86314471e4 |
| SHA1 | 806b51c1285186ece2062acc07f2ecdd6f6373bc |
| SHA256 | 7bd4161d3f4319613561e00a8bad0b5a528f421536fa2b9c35f086b87a2ece18 |
| SHA512 | 517a25c841f38d37d139f1d7a8064ab98af01d5b5507d54cbd0d6bdd0ad7cbb5a0908b97ae7632d9f19dbf4549840436cc6b7fbcb831077540f3d1e2dd7f2508 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fb75ee07579b136e73da88b4ecb77ac9 |
| SHA1 | 1826ed91a557cdae63f19a35d7e86fde92a2d786 |
| SHA256 | 5780c2dde72b6100e448bd6303b59d76c6b91570cb53c4d94db2e71a1b13e2bd |
| SHA512 | ecb9a6edf706297fd8a12fbfaa55f0b52d3bf59a4821424aa4ee4bcc1b31f64d052063b70e34584973417026b7f1a02b3e65d22b578f5be4d730f6ec6b58348c |
C:\KaVBFT\boddevec.exe
| MD5 | fd087dfbdf7e85588f5705e96f249982 |
| SHA1 | 08d35500a7070054c757e42cabb0d63c7d191785 |
| SHA256 | 99b571b9057692d2313b44623cecdc95843af51ac02abfadbddfe8ee0c94c0e9 |
| SHA512 | 42d7e7ea08090125907bae531524a32b712e0206ca993cb0511a35bfdd820fc40331a21cafe3e05623ebd82166b583544ff9f50f1a1f820972095129d606291d |
C:\KaVBFT\boddevec.exe
| MD5 | d9751860a9341cad833c76fb3bcc9c82 |
| SHA1 | f01c75166e76bbb9a83115ca7c8ac724d1ac96fb |
| SHA256 | 7131461bfb5da8308470e2834389ee88f25e0b5a431bcb44bc62fbd7c0d55bb0 |
| SHA512 | 17bb79ebecf9e497ca6fd25e994c2fba1c9a21fbe746ec0ddbcb3863d07384912081fb464c6927f9c1688151cdf6ec807efce4d4229c191ae6d327fd45c0d8b1 |