Analysis Overview
SHA256
6183d1cac848af34e0dd5d796819d29311ee895f8f6db11635828b9165c77032
Threat Level: Shows suspicious behavior
The file 3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 13:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 13:06
Reported
2024-06-12 13:09
Platform
win7-20240611-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\FilesPZ\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPZ\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQ6\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\FilesPZ\xbodec.exe
C:\FilesPZ\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | b0b8e50db8cae70071bfefc8a19a50c9 |
| SHA1 | 3c2c57d1ee9323c08cd09ac797b826d74f19dbc1 |
| SHA256 | 504030fdd103c27b4089b5a794a55308f8de422f4715088fe11de068746adcd4 |
| SHA512 | 0539332b2e22ff7fd79d48b39219bcaf44d603a129f54e174259fbd636bd33de172ae3b561addf029b9db2590383f5df35dc7f4daf8af3e530c9f782581bc497 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5095d66016193fc4a6d95b149743438b |
| SHA1 | 180f6d217527436aca754d676c41722adfc5b561 |
| SHA256 | 9c6211ff7db4d1ccc006caebe8e48435108793513d2ac4acb39cb04ff0e9ffcc |
| SHA512 | c753e1f2203e22f062b40049521030d99660e3e9a93dcbac4f528bf13a98fc86519c4c303d79b2f9a8e842f26b8d111a181bf5bf80b6ebf151dbfe4b8b4440ed |
C:\FilesPZ\xbodec.exe
| MD5 | db82c8e1e4e4fefe5a0d7cec2843a305 |
| SHA1 | d05dbbcac3af5e39f998e22c21508527e29ef50c |
| SHA256 | cf31f01b60d529c823eab3038703f966a5119931fa025cce40a87e1633db4a1b |
| SHA512 | 2a553814ecbd8470edad3dd19ff12da80da4223dab37e1e9f0f9485d0e4cd8daef6e5c1b24bfc1bd48305c4af9ef22309beaa4dc23843e265ad3771abc2ea5c1 |
C:\GalaxQ6\dobdevloc.exe
| MD5 | 578ea6a5f1ce4cc1f96ae7d42d547280 |
| SHA1 | f752c611daa10ff3e1d61e7102656b54b7da73f8 |
| SHA256 | 63c82c22e112198afdc6fd036e389534ce6af6144c64878d63a2ca97ae93ba26 |
| SHA512 | 6f2489060890798ee1d804fd11b889bf10f62c5c09f09c11b7f125cd5539e9d39c70d54e74e2bb3274de73138b8027598182c04033e1fc91ed5432481ac16348 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7b71a09ae15f11393d34f50165929ad9 |
| SHA1 | de3fd1480334a21d562209cacc0d8922f85f143e |
| SHA256 | efa3a58e48ffb1599986ab2a6b527289989864016b2a0b87d60ab413352d1bd4 |
| SHA512 | f55953f8302a5e32864c3e820ea3d680083650ef254a303b1d8a5d0daeb018cd904f141b279f06617fb4c61a46e9d5dbd3cb51d2db9b3ec78cc67e7980aa18eb |
C:\GalaxQ6\dobdevloc.exe
| MD5 | c734d02e63c97aac94d2ff8d5cd05f27 |
| SHA1 | e110304fa6ab2fdbe456508c594d62100a9b16f6 |
| SHA256 | 2e069205cf05d49aa48ce2654d52ba962c6602a7214ce6a8e713e8c41a8e9b17 |
| SHA512 | c6fd8f1acf9ccd8b3747338206cdaad775b6329d988131bc81d154466627f5b8dbaf741d83fc3dbf9e1a633d994b00ce598cbc1eb89bbebbe625d467fc2ae158 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 13:06
Reported
2024-06-12 13:09
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\SysDrvRD\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRD\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintER\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3cc47c00cc72e68a881ef4960a223220_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\SysDrvRD\aoptisys.exe
C:\SysDrvRD\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | d2f856aeceddd993ddcbbbef76b3e62d |
| SHA1 | 51ff96506d2d6012c91e9a08947805e48287b06e |
| SHA256 | ea82aafa160b28ce8cdd67b5a448d39e9fd4ca7655e2b4fcc6df4b3379293737 |
| SHA512 | 977cab8cce9fdebaef6f7cd841841dfb9f75fd0251302a4b27f3a089f13dc860616e7a48a0a648328169a85a6d5d8b8ec8463e6f2fc60c8bb548d19923b1ea87 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ecfd3557d2ed18ce4069985ff03ce708 |
| SHA1 | afbcfbfab8ecd2131a0a4c811c67556f216f96e5 |
| SHA256 | e3d6a3ffdbba19b892c4fcd928ce0fb87d4af92781f1e6259dfe6f4395e9e356 |
| SHA512 | 16becb18d96627480354947b9a2ae94d337e78f4d92766d77b6aa4794cef9c9dc6e4426d5b38a3dbdf8acd2973a3f299228f3cb88540ce424001def49abc9b8d |
C:\SysDrvRD\aoptisys.exe
| MD5 | 95b34ec8a31d0ec3abd07d4677803b60 |
| SHA1 | 058221246f7fee09356a1d810b027a0a15ec27b7 |
| SHA256 | f61247540a7fe46ae909d911bec84442789841bdc14575e7e3d40ad9d1e5cc99 |
| SHA512 | 985f6a747c5b46f25e129fff1877a3b48d271a13c298f30e460b490979d7a2303a2cac51c78dcce969f7ac9f1a6f288a48a5660f5317ddcb07a4634dd7a79499 |
C:\SysDrvRD\aoptisys.exe
| MD5 | 83ed8cfca063f3de619b965d1c331421 |
| SHA1 | e32259277cf7f34f1ce26690e8fc2ac17a2069ce |
| SHA256 | 80feaa2ca102104a04de50981b2302e14bdc1050df4e4e3902a3659355fe6445 |
| SHA512 | 594be7040aefd0a302e76cad7d9e6f4b98bb6d65a1a7c3e15ceb54b3154bfe7aebd494084c1365bd0cbcc2bcd3a4c6327f40f483edcff0a7b1f979330bfc161c |
C:\MintER\dobaec.exe
| MD5 | 1813890ae3ea9f2197e18015ff9122b8 |
| SHA1 | 7bee4e6f71c91b0b575acd3d46d2f7e41c8aadd5 |
| SHA256 | 46e0ce27d3dbd82e299f0ed515128f4762561d8aa0dd0bbd7b73f8e49e806315 |
| SHA512 | 8adc15db5f816602c4240fa0860ffaa4583e31abaa313ed2f039cd52dca7d7f7e3a6957939aa2e9cf4f955cc358582393ddae016e2c23d0c5e86372e8a384667 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c9b6cd193b94db01da9adbb25618a35a |
| SHA1 | 9d109148f6c175cd6c65a9fc04493f639368fdf7 |
| SHA256 | de0fa00a9ce9d52a49b813006b750a572b9059d60a27265056b362ba312c9716 |
| SHA512 | 8400ae86d7b693018e9248c46b79ffdae5878fa11ae52ff0460b52224bf7e4e548fb64c1e189cb79d9eeb692f8a096702191273a5536f2cff1697e2b5cba3b4c |
C:\MintER\dobaec.exe
| MD5 | 81306907a8898717e74eee7fe3ec9748 |
| SHA1 | 6871f1f920d712de6120473f387e1497841b3829 |
| SHA256 | 1b17bb743b1a2dfc12895dffa0a7b9b5daf090d66b71008fe29879bad1786322 |
| SHA512 | 205b7de43c582a32ad49cb599becf76511d0269af1df1adea82987826d020f7e62e8b53e8f82da5c2f44154cdac459eaa4fb29ea6b720b0cf9d5e5148fb62730 |