Analysis Overview
SHA256
9d7efcd09159543f94224209438afcb565240f0a04c11a33d9bd022a705f06a1
Threat Level: Shows suspicious behavior
The file 400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 13:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 13:59
Reported
2024-06-12 14:01
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\IntelprocHO\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHO\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidTO\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\IntelprocHO\xbodloc.exe
C:\IntelprocHO\xbodloc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3748,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | e7a517a40d84e634dceaab22ed0d64a3 |
| SHA1 | ae26fc521ee544a4859a1f500cdac3d2c7f71c94 |
| SHA256 | c34dec97ca67bc3e4c0b6b99445d11cbaeb6ed1f5deca1281672389637a1b162 |
| SHA512 | cff9ab0f4a31a4f917858df431de7ad373619851356b066352c0e8e8af3f5eec929dae4fa23408f9b986d8a1e0f4f046b72b40c18e0856ad7675ee499b2f775e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 44a186e229bd51f745b48e2653a300f7 |
| SHA1 | 750a9fd8089b93b9703a990797f9badd1d60253b |
| SHA256 | c0914cece68969587aac9cfbff3f69037ff02f1693efb68c26e74f9990d6b1ff |
| SHA512 | a58c4adcecb1bb53f8bf250782297489440a8fc73db45a8051724532be6b1c5952be79cb2b3622acda13d1f767a0d4cf382b8c7174e3779b4e748be86da49251 |
C:\IntelprocHO\xbodloc.exe
| MD5 | 2921ffe8a4e8a12530fb478f80db260b |
| SHA1 | 51d864e897362108cffcf37045a159c082c66a32 |
| SHA256 | cf732cbf467594c808a2b0c7fbdcfff3879f594881042ddc92907815e7ac4f2b |
| SHA512 | 3b2ede172f3b965b7346c22562d1ee4aa99a8784d9d3ed42e8e31d6b1b4db0a29fcf9ff089b7ae659d3ddfb1d115cff748ef515b4fe6ba08c329e01e0f113b72 |
C:\IntelprocHO\xbodloc.exe
| MD5 | 91c9cf90882419da245d635275328f70 |
| SHA1 | db7f9d99dc926106008969343da2d2d93de96b3c |
| SHA256 | c09f9e85e482142a4147796a6f7538ff1197857827f439a46fa6bf9f55e86058 |
| SHA512 | 4c197a83b570ecf16b1c5c96ee3209a82277cf1ef9c1f45f431a6a490a82363d71c435f66a240f9845a218b868a821b09fcc92fefd3af34f75f68b938f07f8b6 |
C:\VidTO\optixec.exe
| MD5 | c5cfe1fb3ffc85f6f58808a90a25e91e |
| SHA1 | ea78a58a967d2365305ccabf1b39b6f7b0a0b7e3 |
| SHA256 | 50c90a817d63d059b816ac95af37989df34e48ec70ef2acc583abb3cf31cab51 |
| SHA512 | 5dc1e22ba14edba2a7edf8e9a293b062eaede2c7b009297aaa3b1e6a770471f162799a9e1d7fa3d802fcdb3b64c0c79bb4ebb9ef8c89d0aa31f21e642d728cbe |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9510f81ce1d1da57742e53239ed0fc72 |
| SHA1 | 32efa6e84c91475696cc7e705217149c72e3cf00 |
| SHA256 | 28361b2b330e347363be8d3a562122f0cd52f5f2dee99be824d8f4c2a9143023 |
| SHA512 | 40751e80961aabb176fc3af31675774484c62fe6737242c9c98ffcb3400c669bc84a30113ecbac1526d61f7276ac3a2625c25917199adee5039334a18e2fd0c4 |
C:\VidTO\optixec.exe
| MD5 | ba4f640a21ee5061e0bdb1a1aec8bc11 |
| SHA1 | ff64bdfb13b631c3ae5756376f574e522fff116b |
| SHA256 | 961a4b9c7883c1c211c6e53ca0364bcafa69c13fba4843d07664ddf08eb8b543 |
| SHA512 | 28e087d08b87d4f98e2fe30c4d455a0b726d0f2868151c1a264a353934face9b88a1bac9dd3333457f93c58e11d21f923ae008501fe7455911e875f2b6d403f4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 13:59
Reported
2024-06-12 14:01
Platform
win7-20240611-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeD8\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeD8\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintR4\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\400a6face13f1fb9d5a6cb6140049db0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeD8\devbodec.exe
C:\AdobeD8\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | ce4c119122a8085443db7eee9c589368 |
| SHA1 | 8ff8b85555ac28a4c993fa8430da15d9fbd8aaba |
| SHA256 | a62bb65a18e1bba520804f71d75a1e21ad852feb9b4d746d96ce91ea1d88112d |
| SHA512 | d54cad9c6d6deca6b771c870dc9fd454d0e27012d2b9cb22f8bec0f2c6c0105d8a9c1f713c8e9be06d85e3c5f2201617f42854237d89c26830d30c0935359114 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 780dad1329e5a0514260b30fdc670802 |
| SHA1 | 0a2111b16032892a179c5b25acab0bbbe2b9d03d |
| SHA256 | aa79b147603ccb5271e88b84523ec718c7e387d05281541eda4cd6a8868eb713 |
| SHA512 | 75f2bd676715e67101fd33c8b83fad363222b1d4ea301339e0e4a84d7ca704fe98658dc8374fa9312b3b94ea6043c5d2ab3e4ec6e7e5d06a2f37f9d48b82b05f |
C:\AdobeD8\devbodec.exe
| MD5 | 9e975c37e7c7a1aad16585c7e35d52a0 |
| SHA1 | 1a06478eb20271911b7568436a54dfbbc8a00ba6 |
| SHA256 | d58048d54d222d28cb1823a9361f38c97fcdc30cd05daa47b7f893879a4241e0 |
| SHA512 | 83a867e6376a7907718535f838bfab0b3669c510bfab36263c1bc129ef4fb19b22b10788c354e64f9f5b47d1dba7d0ea00b162679b21154e32f2f5f2251553e5 |
C:\MintR4\optiasys.exe
| MD5 | bac4a40967d76c1b473b8fa622fc4ea7 |
| SHA1 | 5429e5d703ca6eda5958fdcb76d381eaccebd723 |
| SHA256 | a0817ed4cac64f7e915c6a2be51250b4d8a3fb68e50fde65ec96931c9401ffc8 |
| SHA512 | d046a678dc5f0e31e0dfd42b79fcbccb3a59a13d3cc1c7d387e53e194bf9f458b238e9b87f6748c8f1d27e66aa2150696b3baee0db9d4b7a15ceb2472f7a7455 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6b1759eacedf4abc0795c2008b8c87fa |
| SHA1 | 6af814273ea81115f359ec8829383e77e865b3fe |
| SHA256 | 103a4e278c5fed08d89962af7f83b4c3976ad2f1f97a87bbc9cd19b44ea772c0 |
| SHA512 | b625b2d8d8dd9283f114bdebd8777aba6673b957deec36a39f7cae611fe4a5dbd57574b831690ad9980d6e735bf59371941cfe9445d8f041a3393cd384451fa1 |
C:\MintR4\optiasys.exe
| MD5 | b854eeb81822e822d8816a73ae35804d |
| SHA1 | 4c6402efb465f40d65c737368cbd7a8e43a8871d |
| SHA256 | 20fb6310aa26757811e6c13f8da31205618beab4e3568c341860de34bfef9edc |
| SHA512 | 616e90f91085e6206118b9d22e09b292ad58d1e2703c4836b77843dd3880e1cf407acb875ffb885c8b4f33adad5fa9dce35fe2f40821039e63417d2535afc0fd |