Analysis Overview
SHA256
4d3082220f6122b6ebcb23b319a62405f94a95c725d4690aec583a3493eef54a
Threat Level: Shows suspicious behavior
The file 9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:41
Reported
2024-06-03 06:44
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\SysDrvXW\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXW\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOT\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\SysDrvXW\devdobsys.exe
C:\SysDrvXW\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 35ba61903a2fb9077f3175cda5207767 |
| SHA1 | a4c47c1db91c23b61b7d26f3896b164f6771824c |
| SHA256 | 585209806bc2a11bd6c365b2458703e219cd5d6c8a2bad50950fc54612b4a5a0 |
| SHA512 | b85a3b59726100444e39cc2740062254bdde0ada1778a392fd659c2ea47438c56d21767779a9a4672be910f03e511568281b49241eec7544986c0f718443ab46 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 090271d3e826a47942757bcc8ecf236d |
| SHA1 | e0ec538c34c364f9bd88153d7c7e5f2fe5ab41e0 |
| SHA256 | b9d9e979669b6efc61a53eeb2690836dd105fad8f8e68ceb0bda2a3c7b6cf63f |
| SHA512 | 43daf92b6b0723c09c0008e8ba29c1a11f87c30f8b37e2aea068cf6ab9e063c56da0a7bf98b3f4a1d3103df1d84d3116472801f819fa2203d982062ae93d7360 |
C:\SysDrvXW\devdobsys.exe
| MD5 | 5163d331172072313b443798f3ef5cb0 |
| SHA1 | dd8af4724c602da795376ce45a7aae49549d7442 |
| SHA256 | c69891f9253ad17d8275797eb044bce24efb2c778f0ad7ca2e5a20f2334b6173 |
| SHA512 | dd4de09f278158368eb64147c17a6e2f736bfeb84f47f89ec3266a4b3e38922febb32b313295a5625b609ee4d25b84c5ac6367abc1e629068f0c00c4cda1f87a |
C:\SysDrvXW\devdobsys.exe
| MD5 | 5a9f8c46bfbffae36829116eba41f64d |
| SHA1 | 59f69c16faf4a8cafbdd7b32186e19897e150038 |
| SHA256 | ef2a3f494e13502179e8d6d110009d8a4ab341b87d03cc6eb846bf02a256c4cf |
| SHA512 | a9b75be1381dc8dbe19abfe397e78a8ca9a3c16c619983fa6670eeab0abac1dbaaebf596e7a04c508b33df993da797cbe2ad13b7b1a017e9b4f4d011ef3cc6c4 |
C:\MintOT\boddevloc.exe
| MD5 | b9e4330c850df7d9b6c1cdbbb9974679 |
| SHA1 | 16bf92b5431dea7091003070cabc283d121dcc3c |
| SHA256 | 54384e5500166cd323ce6dd065d19b24639fadb6be27a93b17a764415db17e90 |
| SHA512 | 86f4bd86b2d48e0382934c1ad491d8c61d9c56e05272102933f068c113ae3d5abdd5ce4e2bf6b01d1e69b158bfeab04e7b3e0b115f9c74da2483fc8c227b0802 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f0a7b8ccdbd5061924fd1a15e879954f |
| SHA1 | 211e5983bca959bd6f1e9179a90c763ed16b56a8 |
| SHA256 | 47a22b198738a1f6bc3fc0f64d6f930a23043231f861416dadcd718e458940c9 |
| SHA512 | f8b17260cb87f9ff17b1b662150c8effd36390ca75c8496305f399f8eb491cd45e60009e8937683c7ab1a8124bb848db0caf63ec3ff419d5827558012b2686d3 |
C:\MintOT\boddevloc.exe
| MD5 | c8e8d1a833a12548258bbd5ee1ed9834 |
| SHA1 | 53fdde0040a8424f1918912cd654e9e1b1bdd24f |
| SHA256 | 1470a36183e81a2352283b9a84dbff18504f8cad6dd96d55d933462b363ecc59 |
| SHA512 | 826610ee885a391095e9d532a60024e1d6c6f60eedfa8f4152601edfaf95fae37d92e85605f31f883e275b1971434f581c3156fbd8fa686adc8571fcc8d858a8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:41
Reported
2024-06-03 06:44
Platform
win7-20240508-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDotPP\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPP\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxFZ\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f15e65388e1e823efd1b51617e06be0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDotPP\devdobsys.exe
C:\UserDotPP\devdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | a468c01dbb678dd152941742d4cf27bb |
| SHA1 | 556cfc758a063554060722f23cc51e70cf2ed5f4 |
| SHA256 | 5510474ec0d1eab1a602be2bedc9350fce324743a4830e34d93dc13a71798690 |
| SHA512 | b6e6000f4343253e3e76c55bf24efc2372b147c34bbc7e4eddc16cc5f90a617971181a248001a9745a71f295b8f1e081c90924993ca55b9f5d282ae814accb34 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c4be3a355f706412906b311ac5d687a7 |
| SHA1 | ef60e9615f396c4c4ae3c41a298add257b6f4a4b |
| SHA256 | fd8257fb386ad0efd620d76766dd0e404973566b032d827894026eeb9c0c7b8e |
| SHA512 | c20b14acdf3adf0ffe2e86770a1b386c152592107912bdbcf6d7a372639009340e13361cdc1202b9c390f2819830eb6f4c3ba18549f5f6d32a64ae7f8ac0af9f |
C:\UserDotPP\devdobsys.exe
| MD5 | 9c6005b7be783db55be82187ce7e0a82 |
| SHA1 | a24f1b87e3c381f93fb463b82df260d3616fb8dd |
| SHA256 | 0b6c93420fa7ebe365fabd40fc5924dd21920f0c2f9cb15a205a85f11290e26e |
| SHA512 | e3d81315dc112c3531aefe58d31bba4de158dcf56c80b3361173840353d2c3e8a998373a218b7e29384ee4b1723d45d03c124b045a914076854765bd9a155d51 |
C:\GalaxFZ\dobdevloc.exe
| MD5 | 3e94bfcfee6766f1f239572240b312f4 |
| SHA1 | 678a07c23bd6e23bcc676528e9b9be57ae7b0477 |
| SHA256 | 72bf5d12a6a7d19dc66883928886f8d5b9d1b082fd52a0e293673489a83739c9 |
| SHA512 | 6746c767757d664099848754db8300130319e3f1a5a4fd720173bf955c45d574b5c6bd747cd02a75c6ee462699fa2fe41f1682a01e125d82a9f83bc30053d88a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fabf6ec4dfd4d60be2ad77010e5ae130 |
| SHA1 | ddfece24d8876ddbdc9134e68ce0b96d1839f2bc |
| SHA256 | c31685b481e02e8ba66e8ecf198ce03ef6ce984962bc392b18758fc0ef0838b8 |
| SHA512 | 45ecca1318eaa2bff4c87c796b790ad7e46e4963048b384dfee09afe842db57d88a19c9f7b64d691faa087af3175d9cb5c1d221f45cbabb5cbc3c0c7152ad019 |
C:\GalaxFZ\dobdevloc.exe
| MD5 | 2c17801a60ce1fc452740d7024258872 |
| SHA1 | 541724bad5c1bf763363bf39c51d0632160fdb11 |
| SHA256 | b6b9536e6de7319ceec3abb0b23d25f6f28cbad191e5d4f3d650de4fcc284cc1 |
| SHA512 | 80eb1771ad6ecac459b9bbd96c3d4e4e1e919bb81c71d210854437c1a429d700581899da54dc14284f2df8ddc806b31f297bbb332c297d7654e71ccbae9cb625 |