Analysis Overview
SHA256
1bbd510766ee047d45e01ffefeb8e532d951ea8d5d5b7c45ca1c62098be3942d
Threat Level: Shows suspicious behavior
The file 9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:08
Reported
2024-06-03 06:11
Platform
win7-20240221-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvKG\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKG\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBQ\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\SysDrvKG\devbodec.exe
C:\SysDrvKG\devbodec.exe
Network
Files
C:\MintBQ\dobaec.exe
| MD5 | e9a610ff81252580a57f97c63637b546 |
| SHA1 | d7ce76abc8888605aa32a0d165a1924367401246 |
| SHA256 | 65f84d17616af6973dafe9eba9fd50b8035dd819da26b746673d83e724f547e5 |
| SHA512 | 524937d4d6c8eac9edc54eae0c5a6760a792f502632844d8134b9b5aad9bdb3d1e266cb3d65255c36744fe49b632e2a2e3d52476f8cc1eb5d024d3d08d9e36c2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bd674f9a9bbf1c4fc804c936962e730b |
| SHA1 | 86bc414a26495ee0c14c2fc5007296e0c6d19c52 |
| SHA256 | d26578129a34d600af2960c1cf10f939ef3b27a1195e9dd1fbc50ab81a9cc57f |
| SHA512 | b63a5fb685176bb8016998b4fc0cc042c273cc9f421042832c957bc4c03f2ab4263458fa50f500287aeae0420049cb779c04ff8d66af2e683ee19beaa95b11d2 |
C:\SysDrvKG\devbodec.exe
| MD5 | 5979b10857a7d948dd6d672fc87e29c5 |
| SHA1 | 456a40839b2b93d0dfde994f5bd1735fa0ed56cb |
| SHA256 | aea9e4d01d0b78bcedf27cd0e0f9bce538c9a669e1457b830acef81572170f32 |
| SHA512 | 3720368ebe6e839cef8b0afe6bb7effa390041a5bd1f94fef9289ec1ab567ad0204665848f506caeb13d5c3911e4f386b1a1d66004d87cfdc753e44bfabd13be |
C:\MintBQ\dobaec.exe
| MD5 | b646265f07f9f16a9eedf6d5027f9e3c |
| SHA1 | a47300f0e83643f499e1b7c1be83a375a1293ac7 |
| SHA256 | d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025 |
| SHA512 | 403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67 |
C:\SysDrvKG\devbodec.exe
| MD5 | 62f17a18e2665228331086e6e938bfcc |
| SHA1 | 8e2aada25ef3eee33045d7c08ce27d04adfb7da4 |
| SHA256 | 1f30a15b454a01e1f02a566860b6dea8fe2debfee04aa9dcd02eff1b374b5385 |
| SHA512 | 0cde9444b74a958f01e657a2f49550b28dac6697a6d01cdde84a080468781943e73e4ca36b1efb6ce7bebd85c014c8ebf526f60943adf83ef100be6249c3a5f3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 9a120875d76e19422a4504a9965d3202 |
| SHA1 | b88513e989719a16cd643919ebb3821389de1a1b |
| SHA256 | ef4825207e96cf9c4a56ce783f06cfbd24a11701c387f2be8513d3b473a44da6 |
| SHA512 | ecca67737d00efc1d7f3d15ae11920686bef0a75cfc8410cee1385d8e04934b12d30457dfc3a12cc6e5526db4de14c229530961f49f1d342f50cc158e5a4f327 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2b5d8d6cdc800372c90a535cdd2c90a7 |
| SHA1 | b23d4ab6f2544566441bd54ce649c51daca96ec0 |
| SHA256 | 3534bac621cfaabd9abbb6cfe631104966fada14c7c76badcceaed94bc8a8f34 |
| SHA512 | 45349a960b9796063a9ac79a381f2e649076c63a18e3b8c285eebebcab7323a4a58e7668eeeb29cacb404d35b85b6d3062a9505babe9088ccf8d7be72e9e999e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:08
Reported
2024-06-03 06:11
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
101s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\Files0C\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0C\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintK4\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e219efc851548dacefa1027d050b730_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\Files0C\abodloc.exe
C:\Files0C\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | c3042b659f856bd865a383ab619788ad |
| SHA1 | e8cf51dc8dcc7cb82e06941877917b2f2a741733 |
| SHA256 | 74f9cd72e11e6e2128988eafe328ed15235e966dcfeceea0dc41b9560bd88b66 |
| SHA512 | 50e9dbaad4209cb1d955ad2d31ff7cffb59cf4b68dd2e0f35d68660b8ff9eb1d18fd586f17ebe587a6c7ea80f690b609f23ad46e6b98049e0ac479432e7e6d8b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 25ee4844ce9a5e7ce11f8d6dc820bfce |
| SHA1 | cc896a84af4a66d8724d9dad5581904a66cb6123 |
| SHA256 | 6c21f939bc1641e3c7c7f9219c448f2371c3c7caa910494331a7e675a2ad51ba |
| SHA512 | 49dd1efb7e033056597b022df9d543d9633c25edec990e79aabbc48bc8111d0b2d3cb111ef513271a48629ca0d04d7086cde645a7a22fd0aeb972038963aa65e |
C:\Files0C\abodloc.exe
| MD5 | b8e08065f0c3614033929164807a4705 |
| SHA1 | dd151f161b4debfa7b88b58d1e323a342bdc6ded |
| SHA256 | 7564caec69d94c20d4cf4ab6707de7eccfc86fa93a2df26fdea1bdf31314d2dc |
| SHA512 | fa36ae28c6e6473461a5a757b7636313a9bb67fee1053c1e60d607695fa06f8be7d1057d3cf85779aa97da4bf781b8e0b9d0100e3c7205f095afe5838486c308 |
C:\Files0C\abodloc.exe
| MD5 | 87f1137a0692e559ab441d2a7d1b0c39 |
| SHA1 | cc1f315abbabc984223f3ffa5987355b6a46c24a |
| SHA256 | 33d78bd3797703c3018b7fce20d3c05b4983d0e2049b11ad7a5a0018331ee2b2 |
| SHA512 | 58234f0783c86a1b0c1a4c1591dcfce54458bcca0399e026333852d703e0bb6d951e5f65744d82e779e6fc664a9cab995d1023a1d66c80ea23a6363ddd5c084f |
C:\MintK4\bodxsys.exe
| MD5 | c8190a91500bb1d9caa61e3b11eaf128 |
| SHA1 | ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684 |
| SHA256 | 6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e |
| SHA512 | bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | efcd6e35591744a184b0f4b3b808fafd |
| SHA1 | e03420d8fa636e495f4fb4830fb10e3622e32663 |
| SHA256 | b7b9cf470827c5eea2d5f1eb9277d92c172b9bdcd6eaedf91a6d1d10430d3480 |
| SHA512 | 338e1eb48371f771879de92e86edaf427012351d4e796671f1c950d50743122b53ebc79276f1dcf29f1a80153ca05cf34ef67b4d7b6e0c8ebb0c8929b19493a5 |
C:\MintK4\bodxsys.exe
| MD5 | 6e1fdfff051b2de312079610a9335fad |
| SHA1 | 0e7d1db4c1599d74795a8b7127763b072257dc8a |
| SHA256 | ac41cf2fef46ea409509d2fff1891ac57c3d142e3a6a473db590ad1ef8899882 |
| SHA512 | e67ea0adfbf2c59a3c2bcb7408724a2fc4fe648276fccb11b652aa547d907bdf2ee7e10c0d102463d1de289e7cfc68d10d77ca42678fc18749e8556d6c06df0d |