Analysis Overview
SHA256
7a3a725cfb1e065a5325570141799ed98405165dee987f13ef088afc71d6fa9d
Threat Level: Shows suspicious behavior
The file 3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 09:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 09:37
Reported
2024-06-11 09:40
Platform
win7-20240508-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvZD\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB23\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZD\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 1220 | N/A | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | C:\SysDrvZD\adobloc.exe |
| PID 3044 wrote to memory of 1220 | N/A | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | C:\SysDrvZD\adobloc.exe |
| PID 3044 wrote to memory of 1220 | N/A | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | C:\SysDrvZD\adobloc.exe |
| PID 3044 wrote to memory of 1220 | N/A | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | C:\SysDrvZD\adobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe"
C:\SysDrvZD\adobloc.exe
C:\SysDrvZD\adobloc.exe
Network
Files
\SysDrvZD\adobloc.exe
| MD5 | 8012b9f0209cd637974467411efdd658 |
| SHA1 | 534b777fdaed4936b6ad08adb5233423ecfe8e91 |
| SHA256 | 9eab8a140b37fd5896241f9b10819afdac28a411afbb682b9bd59c7d50d4d8d4 |
| SHA512 | c65651b9b152a2d3a8c1f9b56fe6f1030d723dc2085d02c3e1b9e518f316180822d6134329e6e78e325bb5d55b66b6eb7e97f27c4ec0c5ea8a1cda292347afa0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 82f6c873d51352577e7757e683da1133 |
| SHA1 | 8d89561cdda9fb424aa673fd4fb5b62cb0ceb468 |
| SHA256 | 0aaed73ef2ea9ebcef3403cab1bd9b5afa9b0333366a8cff8e876aaf42df47fa |
| SHA512 | a1371b4c4312d3bbc77a5ff9c44a85d072140d015fe57bfe4b5b979fdd1fed28c683feddee7bc3d95df401137a6eaa8497556c77896dcd9bb3369ec82f4d895e |
C:\KaVB23\bodasys.exe
| MD5 | df8f105390fcebef8a3f9bfb7c76d85f |
| SHA1 | ca0635ab14d730294efe24f751897bf9b436a258 |
| SHA256 | 144e9a4b054ed6addb2325da622715565977bee1297dc6e103f6374064cd65bc |
| SHA512 | 290879e11f90a4b20fca1a600ea9991703026488c4df8286d25612596f0ca77073aeaa34c4da8a2d60cd22577f699647840b38693cdf632cf2e633d9546d6f4a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 09:37
Reported
2024-06-11 09:40
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
94s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Files2E\adobloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2E\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAQ\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 400 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | C:\Files2E\adobloc.exe |
| PID 400 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | C:\Files2E\adobloc.exe |
| PID 400 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe | C:\Files2E\adobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3051fc1b6df514e84525d98029fb7200_NeikiAnalytics.exe"
C:\Files2E\adobloc.exe
C:\Files2E\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Files2E\adobloc.exe
| MD5 | 1c3bf2f0300ac85a570f9d515d6c3c64 |
| SHA1 | af0eab0efe02293ec78b5a34f1bbd0854604414c |
| SHA256 | a8a12e6484266f166c1b5bf04fb0e7a7b1d8858b958a89ee409f1e30c47c0686 |
| SHA512 | 9fab2638171024a0e75f45bd7e4be40ff2c07d3fbeb073f1ebb33417effcf721b103907d7a0bdc63eddfc8f127892593f61577a4170754a995d09d706ea76955 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 815a319edff5c4447465eee118613e95 |
| SHA1 | 42c1d0f461598d5afc50b4c67b9f5f209e5aed06 |
| SHA256 | 3cf6e53a65ccb3d6b1de5670c73749dd9f09e4599d0224e750a696d9f9e2a56e |
| SHA512 | b56e86a707378d011c62d97d2b2c854ed2a0de579d28f1e143e275094cf7a1bb0e4a0bc5cd130c5f620fa28240d62d5ae2cb43c7c06a8f353b82d2d4ad95ae58 |
C:\MintAQ\optiaec.exe
| MD5 | 3d7d2512b15631e2d354d7b0a0b6e77f |
| SHA1 | 52571fceb5c99db257a17a1530e71b86001d8a9c |
| SHA256 | 73c3a19a6e4a438d18451d9f941170a68f3d5627d1213bbbc9e40cb405aec677 |
| SHA512 | b018fb01657248a309d21b49e59f04561de21ce8b6198d70c29a2fae142eb26da0d85ec3a298d900ec420fdda2575cd2f769ba29812d517c0614983db87311d1 |