Analysis Overview
SHA256
e91dd88bee2b01d246c74fa29df01e9ef79c0c1612a82629fc451a433f40bd38
Threat Level: Shows suspicious behavior
The file 9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:39
Reported
2024-06-03 06:42
Platform
win7-20240508-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\UserDot5R\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot5R\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBI\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\UserDot5R\devbodloc.exe
C:\UserDot5R\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | f242ffb4817c7d4b4da0809a17fd6d74 |
| SHA1 | 057dbaf7f0d6891bfccacd0d886de64309c0d83a |
| SHA256 | fa98f7334c53c422d73d6e2b7f234b1a71ca76244b76903cbeb7dcd3afb15299 |
| SHA512 | 775fc7f6acb9f048835df27420faac8672b5d3977493923304614df6470e00e2805cba3e74f10a5f843da7a09df197617800eb8f907c6cfacde2c0754c59468c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4b7d24d34f512dc78a2a630b97c5e9e3 |
| SHA1 | c16bfbffa56b57e244db51b5d94c5c2d7e73d017 |
| SHA256 | e5f4c34710232d251788fd062f9a5354d6cfaecb8e0a894f3bea702934681356 |
| SHA512 | 1841b0d5b1be0acf0f911286cfed0d85d92187e497223ddc9eb990c4a18b580e2ab6c21a38d29c193845106f1b5c8b7899a45d053d8890afe4359930b2a66aab |
C:\UserDot5R\devbodloc.exe
| MD5 | 6c01c1c7a6c844702f9c3f78799bfdc5 |
| SHA1 | e56abb5841dc83566b3d56217660822f6c032424 |
| SHA256 | 9b34e5e3f55758653b2195abfaa5f5fe70e06d84419a5632201c43e3ba09f079 |
| SHA512 | d91631cb9500cfb5312ea1e4c3022f104b9bef1b38a1f40d6081bc6dce855695076eeadd13b91b554a2677c924c3134cc9e4d734cc659f4efc585cd32befef0f |
C:\GalaxBI\dobdevloc.exe
| MD5 | cef67af718be6991aff7c9442110a61c |
| SHA1 | 18e1500c7be5874cbf80057cc7e1c012732d19fd |
| SHA256 | b042122c970acf87e2df7fe0718211bf443c53be0749a29b820c6bfd968e172d |
| SHA512 | 760cba4506baaedbd8adb54c1c9989755dfbc91dc9aa03c14735cb55ee70d708617bb6836673dad77203cbb986c26c12f85a060aed3ff99872effafdefc2c9a3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7cdd436b61199f655f8a228a121173a9 |
| SHA1 | ad928818484866e877a089e05f677b074871c77d |
| SHA256 | fd57f9e1bffbf2c70a2bcfea54c2e2922b3584f86c8c01e7f0a380378017d23c |
| SHA512 | d364701f94a4ddd1dd341d5c5bea670bdaa6ad4cdff7ac03f80f36fc1c8cfbdb152498fae53f26239aa25206e817517d6e55f0f82d824ddfe2fe3934cf711ae3 |
C:\GalaxBI\dobdevloc.exe
| MD5 | f8f2b43202eae208190fd05135d6706a |
| SHA1 | 47b0f5bd523c3b9f816b2d88e983f59a5cb14e63 |
| SHA256 | 9cab5d00573632d71374001bed0462211bf110c6cd38613cefe86569f2b322d0 |
| SHA512 | 9b6b025ed2a335933acb6f937e7404117c614888c1a511e6dad77cf0f400c3d10d709354be9f5093474d10de331fb598817555d671258436c88c360f66f4cd52 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:39
Reported
2024-06-03 06:42
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\UserDotDL\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDL\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ5M\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f02d67f4bb0500e7c040a83ac3b20a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\UserDotDL\devoptisys.exe
C:\UserDotDL\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 6e3479ca7bd6ee3dbed1bc4f422ebd1c |
| SHA1 | a68a86584b6e4125861c4e2023d970c7f185e276 |
| SHA256 | ba06a7f2ade16233ef04d1ad800129988bf55213d1faacc1837333d74a3e597f |
| SHA512 | 0f84f3a8663db82605316ce4a373ad74ef12bd38d0f557d088a5a1ef6e6bb269f0c56be356bdd312c158782649004668e67cbfca88ed20cee6550c07fbd0e838 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2a1916c5384048a02c268e6697edfd15 |
| SHA1 | d964cb90b53233ed8bab670478121ae52733cc80 |
| SHA256 | e6beb87c55cd84e937144ed6643bbe69cb3ded30c7429a10dafb44e0c3028b7d |
| SHA512 | 024c8c481c53c8c409fee2ed0eefde8c53f926a5f07c10361ed393e162fdb948b2498e1ba6ba3a679ff9e03c5513b038a59e2101fe3f92f1deb27ce11a98fd34 |
C:\UserDotDL\devoptisys.exe
| MD5 | 69b5f34f0a095a9d9cf1965552ab8ae7 |
| SHA1 | 4cf26868f975574ffa2cf92464a62ffa5a2abde9 |
| SHA256 | d2ab836a5cb93e438b302c94d58cad4616e5bfebe5c68d33e76aac69eb85a861 |
| SHA512 | f21199191081fae9fb4f299aca4bbe218f4428880b8896081395f2a5f6a6e3f7941f436c31e4973dd03d049b30545de8f95820820ce8d36f45d8fc3594a5f938 |
C:\UserDotDL\devoptisys.exe
| MD5 | 1089ca4f84a8ba50f48ebe5a201f1213 |
| SHA1 | 2c91877f7ac691582a627cca76b1241972c4de93 |
| SHA256 | ffca72cbad5ce3fa10503ee7e78fee327a428b381f11955b1d0af3abe219f5a8 |
| SHA512 | 42a8899d12b78b19e2ce85e998f0bcfc2b862759dde635f015bf5abc5c4ccda7f93883e6063daddfa37be20b8fee0a24f1c8ab78716ea363280e6709982cea81 |
C:\LabZ5M\optidevsys.exe
| MD5 | c5aa71608c92c01270a6c76780b8248b |
| SHA1 | d008d17e8ba1d5bc950d128319d0705e480413f4 |
| SHA256 | 79e6eb75d1d652c1dd3078628b0435d48ffa77af13daedd42e20703a7d2d7ba8 |
| SHA512 | e2e8a91b7344ea759ebc3f30fbfdeb73ac505be5418d026ac410fee2ae3ec65c29370dbfc86140e85fb0fcc981d242a15587c2f8a4af25e0f26a11260560f33d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ff41eca259e33c28cdf484b0deb74a5a |
| SHA1 | bbed74f3a21e3e9de88ab52fac4900ad0d2b14e8 |
| SHA256 | 4a33e647677ba93d3235a1144c237043447330eb8ea7b3d6cb3775e2caff9c21 |
| SHA512 | b75e147efb1de7fed01c76d204852e9473436dc7b84fa4f0eda164fe350d8ea3e51d47b66c14bae99fd7120a54bfb5831bf60a23ed92bd3bd481c781d61d44d4 |
C:\LabZ5M\optidevsys.exe
| MD5 | fa2f1a1aed80404eba206bbb9dec3cce |
| SHA1 | 967cce30285a18719607f41b03ef12f6043f2ec7 |
| SHA256 | 6b2cb83f9b88e855bdaef485a8bda3cb0154b2dace0127629034e395c034030c |
| SHA512 | 6b72c461e1623cae96f2ed18f1e42dfb26c4c8faba2dc9363ef08c892743dda9409aacc22dd385fc341e1e8c6de298c9c99e8e5e6e5f526c34d6a396f5540145 |