Analysis Overview
SHA256
989995251f92b2d1b6d8ff4a588b76f8a462dab65cb4870c0a9dad27056a30ec
Threat Level: Shows suspicious behavior
The file c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-08 14:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 14:28
Reported
2024-06-08 14:31
Platform
win7-20240508-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\UserDotI0\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotI0\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXL\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\UserDotI0\devdobloc.exe
C:\UserDotI0\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | a150ea297abf73a83b1bbfbb97722745 |
| SHA1 | 199e20acdc7308484ef8290464ea01a81563cb89 |
| SHA256 | b037ee72a9b679b1d60e9d86b4bc35a73c4041be8bce5ee6757c00e30c55819b |
| SHA512 | 31b89af87d9d032dea346f86afc8f6aa8d7d41ec3c3c4ce1528e140fecdaae003fe4db600be791db6a3e1c8d24b4b030f5707502bbd26d0281984b43e7e9613c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fc7c47fe848565142a43008441217222 |
| SHA1 | df637ab4729b060b4785c4d30caf465214a5ef2f |
| SHA256 | 3758852cfd6e2b351b9bbf668ac69d1ae27fc970b13c95e29189670be4dee762 |
| SHA512 | 9556be0e7b8c838aee594f922f47444f60a863426c48cccb80aa5d1774150cc12c616ee886af1c969c379e0b3b84c14f647703cc78e76cae3d54646c90ae6c36 |
C:\UserDotI0\devdobloc.exe
| MD5 | c1fdae2e57b2765bf7cf539b5285d0a7 |
| SHA1 | 3195ba56b7432256ba4c9aef65df64dd991a1b76 |
| SHA256 | a25c43c7110a27b10eac3f395b1e4efbb80d4720c7cf2a63cde93f740b11c5fa |
| SHA512 | 3c0d43a164cfe89db33bf45327112c6f35fdc9eae3069448e1f6071b9bc1496e75547c408cdfec4aca33bfd7041d39337a4f28f4014688237f3944676346f217 |
C:\GalaxXL\bodxsys.exe
| MD5 | ab25ef7b9799f9f5bf14a152dc845333 |
| SHA1 | f2651b77cfad2abf59996e5d49f36345d81520db |
| SHA256 | bf64ee580070817c9ce4397e000c66e1db738b295afa9c224009b15894279d5b |
| SHA512 | eb9bc606567650f3099a8dca2ffb2ed01d338fa154a9dd86ddb5e5908799b4f334a71ba95c0ac4a154a685a7249df53f44f56fa4d22d268fc008d2bace8c7736 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8ec770cd69a63d2ad7df4c51511f0951 |
| SHA1 | 81f22feed879d24e2490d939109128a5e06051e7 |
| SHA256 | 8d866fc0c6d6203c44e971e8fb09171b55b3fac8e5aa81e9c3f54a44322e5266 |
| SHA512 | 9151a6dd30d05cac58f48b61aa78125dd57474917b52984ee0985503906e475f9591eabb47e4d06eb61dc8cba0ec85e783a41731a8c135a50298f7d4e12a7ae0 |
C:\GalaxXL\bodxsys.exe
| MD5 | 344ab737047e1aee4f577e32544debac |
| SHA1 | 5f3542f558919dd5996118475eadae647bac53b4 |
| SHA256 | c63c5ddc1501981fcc67c89cadd01a6623113d27dd41e649b981e2f1151d4b94 |
| SHA512 | 74f0cc6f802ba43f788d01c905de3a940d3ef20255270da69ec313067f374f6c8c15c46068d2b9789d8c6a842e0c8d426316d0359432aa3adb99e4509fb305f4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 14:28
Reported
2024-06-08 14:31
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\AdobeQ8\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ8\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHK\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c23164dbedc67bcd12876522f55dbf10_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\AdobeQ8\xdobsys.exe
C:\AdobeQ8\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 11200c80dd280ca74e2e3c6507ad03de |
| SHA1 | 501527750bde62975d4c7cdc2ac3439618bb08e2 |
| SHA256 | 2c17090c35150f617c9386d0441e3c66cf5ca233a5219ed6e8b85b35d0a212ad |
| SHA512 | d907c9e5ef08d155f73dbbff60ed6f9617777c9b51de5f552008fb90bdc9b48600a861ceb74d7879ab273b8ece91a2167c257cb32ca047c53a0d9976981dd59b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3dc4f0865b013b77ea1c1e40d17dccde |
| SHA1 | b83c72c8fd79ce675131066eb3c1252900e2a2df |
| SHA256 | 9ec26492357be56db6f4c1d9d7d8ca8fcc31958f1ed040e1f1c9e382881bad61 |
| SHA512 | 733c311e900f1581e60888d9bedfa79f122fd4365502b69d21a5750988649cbee2e045cfb44e4b0130d6dac88ba28f332688cfe612c48dc4e228c56a948b3c65 |
C:\AdobeQ8\xdobsys.exe
| MD5 | 62e4de4827e52e4e8fe55b2fcd327d65 |
| SHA1 | fcdb059ab96a41f1d04bf48ca65dfdcf7e4f3bca |
| SHA256 | da2dc14591bf8663b6ecf1c177e0a163b8cf0d6ff8ada86aefc11c71353b243c |
| SHA512 | 290fc4e4f83daf9b8bc6eee2c028060b11098a6e8e7c68c754817f70d0dcaaba1a058fe31f9d1a8fb942802209bc116f44d3e1a730e7ec8479087061fea21ba7 |
C:\LabZHK\dobdevloc.exe
| MD5 | 5dfd1fcaf2d285ab6290a78ee4fb232b |
| SHA1 | 1853582e1d3e70c00771909d1a248111fb96ff13 |
| SHA256 | dbe9382b77f769d6055068734fdd832bfc2e2054079e0de9367deee70af30885 |
| SHA512 | 63e53a2e7e2958406f37c704c339aba76f012a62656a415399a5d50bf6da4cfdeae846921e433b47093a3783791b870dc8ffaf35727136200658b07ab262ebca |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e58fc5a0a2aa67564c0bfdb1669f6de6 |
| SHA1 | 8cee14566e0b33401967622237b2bc41f3898f8e |
| SHA256 | 9f7fc27bcfb84497974f61496545e3eb1107ef9278f8790e1de55e0c74a161eb |
| SHA512 | 13a55bb7ff58e3435ca6191bb5a2f8589d497982453ff842e6caeccb9eccdb13be51f07a168d3e43e7019c3efae5d1c06ae0665ea6eeab4ed3c1396b069eb1e6 |
C:\LabZHK\dobdevloc.exe
| MD5 | 0d78ef5abfb4eca1fc6f05520f401935 |
| SHA1 | d8671f75ac708a092cfef21c07c22c853c44dcfa |
| SHA256 | e5f9e6a959bf7054c5397d9472b01707d0ece7fa84a646b05db0d086ef4e8a3f |
| SHA512 | cd4ab201e0041ae0ebea9effc7f415fcf3680021025309d909bd89306d382d428bd41cc2910ddfcf83f7a8f9ebecb43e82f7263863a8c3cbb7e80bbf2b70b95f |