Analysis Overview
SHA256
a61ce869d228e1e79be2462fa23779dd5a1c43642e470b7ed4232b48c71cc393
Threat Level: Shows suspicious behavior
The file 3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 13:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 13:36
Reported
2024-06-12 13:39
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
58s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\FilesCE\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCE\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBB\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\FilesCE\devbodsys.exe
C:\FilesCE\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | fc4228d25b96f3b64f21bfe2e509b573 |
| SHA1 | c80170a5ce0f7cc639f64085f389e687281ea9b9 |
| SHA256 | 1b4d9d5e9409faa5247c5b6a7a96ddb5bf2e60716818d656086e22111d6225a7 |
| SHA512 | 839d2953bdbedac04ce632f9156e39589a0dc88645f156c80115b38b33c6263f841b886f58b4900b5f369dac81ed2f1abf7af6cd9a004ba29150dec706238e57 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9c0335afb7926be7511922ad5b2832d3 |
| SHA1 | e8ac7ce3e1f7643524cbafc61065d8701d7337e1 |
| SHA256 | 709f48dbd18de4a2f1e37c21b777e0d5f730fcf974959c236fb1d53d6c6a969b |
| SHA512 | bc4ca321f0f5e3778535c296bac44d7d719f0707ed93da69f4251100aae0127476ac581ba0de26e0211b58f20e32d7931caebce3573d0686c99445008baacc69 |
C:\FilesCE\devbodsys.exe
| MD5 | b731b70145c43a143d27cf6848a24258 |
| SHA1 | 9263279c18df5ed1f740cd5e37ca036a863ab6d8 |
| SHA256 | e4d88d91f5fd4ccc7a4a5c7a8ad227c1614d755dd6f631a2dea77b03c94fad32 |
| SHA512 | 5146cbe28e812d8e5916ffa255f644ba4ded9694aba32be3a070b33e42d4f4e9a997ec86c65eb6ae30eba29cb6722e267fea70ce4f509397e3df84394a4314fc |
C:\FilesCE\devbodsys.exe
| MD5 | feaebd34544ee1513e10f8e43b1bdee9 |
| SHA1 | e0cdd86436a49c8dfa621c02de9ec6484b049912 |
| SHA256 | b6b43edc8adce647f60eb181e06bc9ead843ab84837e4bcbcb4e89f0deeb365a |
| SHA512 | 7df3910ab6514cc5154f31a80eed4c2f5efb32e2e39cbc34ba843bff896596002e12052f871df2cfdd63254e71e39f63601aec7ca08afc39d8a5c408c8aaf855 |
C:\GalaxBB\bodasys.exe
| MD5 | 1297dba194a453ff0464617478cb7043 |
| SHA1 | d8ad7a17e7cf39e03075c6b226067924a2d45a2c |
| SHA256 | 1ad0fc38588c1986e68778fdd1bcc0c2587b21e777a96e2e9fb3c19b08e0d7d9 |
| SHA512 | 976fdb69bd0f9f51b1a607504bddd780661eb442e4fded5ee51cae8596744560eb4329b116a98aaf47f805f8feaad626818f414af1abd3829f9442e213d82e9b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 149ba287234ec6a6b8169576e1aadfcf |
| SHA1 | 3383e14dbc03c422f744cc35af8b95a4b2d57a3a |
| SHA256 | 756def2c16ac82b4c460525e92cc52c2c1bcb8f89427c777bb26ba63f7237eea |
| SHA512 | 69c64453fb4189f79821a304ce86ad8afc303998b0debb9032d7ac03d8f6755d2d87a9b470b38718b894380a2f37c29da35c7fb29e2539ac322d8cd91a3d9df6 |
C:\GalaxBB\bodasys.exe
| MD5 | eee8d9f20fee55fd343c4bcb7f7912b8 |
| SHA1 | 89c7ad700bee445dbc4be43b2fb57317d3e5ee39 |
| SHA256 | 26cb1d36d435274acc02ccda99098e9aefd225bd6d32c804d59aefcc7568027f |
| SHA512 | 8c15291604d75db7627b634118fb9ab7b328ae3a3c3de40555d39e098d9b6ac64e626dc713beba41332bb12d8fe130cdeb3c381825de6b3e7639ecd50d37f21e |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 13:36
Reported
2024-06-12 13:39
Platform
win7-20240508-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\FilesSL\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB63\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSL\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3eaf7470bab5b68d7c069891d99d1d10_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\FilesSL\xdobsys.exe
C:\FilesSL\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | ff85a2645af6bcabe5a075ae972c94c7 |
| SHA1 | 137b63dd09244fe8dd14aeb386deb733dc3b3ac5 |
| SHA256 | 2e5223f069b5231815808d8db240043502d6bc0ab273e1a167edf2855b61737d |
| SHA512 | b6b2d29d91d19cab288bf19740419d54f5e92bb69aefedaab4bfa496bde47863b1f1edf095ad99a3e23d2f3ed074566e4a6639942b92bfc30ccc53cdd6ff98f3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | effce113e232459b6e0ccc582f352260 |
| SHA1 | b1893084bfe742fe7f99c3ca9a05bd13de2d5033 |
| SHA256 | cfceee15d97b25c12f6a7b512bf07571b24e014d24802ed00532d698a30d5009 |
| SHA512 | 5571fcfbbeb5abaa733d2b1b68d365c1bf9690a1514667d7f1548ff58d20675a62fc3eb5f9ac1b47fc6200e9ece64b199cf81631c252d4cb4e2cf481d86267f4 |
C:\FilesSL\xdobsys.exe
| MD5 | b61f1c7ad73efe910c92dd7a7c9a7a0e |
| SHA1 | da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd |
| SHA256 | b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0 |
| SHA512 | 224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155 |
C:\KaVB63\dobdevec.exe
| MD5 | 338e21da131f88e04267b9433fc8e9f1 |
| SHA1 | 1c487bc31aa3d318edaeb201b8af6f398082bd9f |
| SHA256 | 787e05509a1ac83497e00c8e37d18af5813b7e36404adceea2fc5b1a634d40e6 |
| SHA512 | 9832ad7952dfa453eaf8eec5290f9f7d971c496cb5e3d0ae080f8de99269150514ea35b7144d8d40212540ed09787400352f671a6fc902a9a416f82cbbb4fb24 |
\FilesSL\xdobsys.exe
| MD5 | 499a197d59b4f620aa5e88cce177318a |
| SHA1 | a063aabe3234b3084c92d75e007a6cfd11ce6bdf |
| SHA256 | f9deed4a442c94a7512671c42815529567b46e407451cb1be0c9dbe6fb9796fc |
| SHA512 | 6417fb4bdf4ba3ea7ebd03233a68fd46c152482f379d0efcdf11f275de19276dfefce33bfa9aabb723e16c4a3e90420e4afe25b27176df41d78ab52ce09ab7eb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ebe2d7a152f22413bfc370203096cf17 |
| SHA1 | 17c915a1514693a9ebc48f1be09c84553f3e388e |
| SHA256 | 46d7cd789c128c1fb151b269955af84a8290542274b7c600696f7b1e49f464c2 |
| SHA512 | 172eb29337559035308804c6aa29c12b2cf15baeeb484b521088c03a104d83e2dcf0722189946eb2a0eafa9c9a15783ca3689071b3841b50f1df37d44fd0f61d |
C:\KaVB63\dobdevec.exe
| MD5 | e830087411efdcd6ee7c86ff663a5dcc |
| SHA1 | a26be9dc1772b362510d64e0ceed869565401b47 |
| SHA256 | f3ba3062e8091c7256301e0fe003d44f1167b146992ecc60bb0a92b002155bfd |
| SHA512 | 028e3fc2b442e81b99df14b9c27cc94065ed5cb7dfb410042e36cc381858f7736a160a2b1de6ffddf6a5ce02db3bf154a48376bf8179372c04063bc32051cb19 |