Analysis Overview
SHA256
3fb57e31e644e15ad5de68b1906f938576a0769291c231bba2f0500114c4e56b
Threat Level: Shows suspicious behavior
The file 50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 00:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 00:40
Reported
2024-06-13 00:43
Platform
win7-20240611-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\UserDot2S\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0R\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2S\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\UserDot2S\adobsys.exe
C:\UserDot2S\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | fa8c38ff140bbef3cc6bda19c465a343 |
| SHA1 | e25c1725ab759c6d5684faa08e8ca2ec2aa13667 |
| SHA256 | f2f0d574c43dd5532273ee066f8faf77bc8490ade03586155d0436cc8c41a02c |
| SHA512 | d7fe4d048aa24cf2e64075846a66d6e96f75d67d173e0a9e9ca1f5c45d94d56228a6c22407cdc1e39833f90d78f616fe13ffe854d6ded817da9c9c0916d481ea |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7a65401920d767dd6bac3c259087a846 |
| SHA1 | 5e1f1a3de7e0ddc1d7395fea48ff9cd02d5e1fd4 |
| SHA256 | 827e8c51ed4e267937439d24b71ba619fd4b08d7d19ad3697283f987f86cae84 |
| SHA512 | aae04e1fda9885001865713f48206bc50c380abedb82870885da5b38e9329ccde20a0040ca321319fa97c777087596552a486fa8b7fa368af2630c54c3d28f13 |
C:\UserDot2S\adobsys.exe
| MD5 | 141ec5cbad77a389d1535761127df668 |
| SHA1 | 644ef496f1484f798ed524126d578498a18873b6 |
| SHA256 | 760495e8cab0f426af2b8ae5d2bc2392c5a27600c695f7eb2e21aa4745942ba6 |
| SHA512 | 5fc86382d1d6ce03ce7cf56252de181b3094fa703cc4009015756bb6b4b080437e88950cb92eb1738666453c16a8c67a83c0e096e120aaa6f4992fd6a0d28ddd |
C:\Mint0R\dobdevloc.exe
| MD5 | ef5039d1e8fc23e775ae0faa981b4ee4 |
| SHA1 | 780736008d3cca6dbf2d38360d71e05c3e6a1cbf |
| SHA256 | 8dce72c804183f43cd5fb839c728001d1a1618bb6e80fb1543635e6d0ea6d336 |
| SHA512 | 4864590b5ec34a18f0eaa7099a8b004fba28a3f1280fdf49ef6f3c4d286d51e93e384c34fc8c3e950bd6bd914b34c5017b6826e3162d3caf32f349d3598ed610 |
C:\UserDot2S\adobsys.exe
| MD5 | b5becc291be8ce0a02c36f30883c7ff3 |
| SHA1 | c2b0575f8fc11c612dbda429d418ef62d35f444c |
| SHA256 | c17743d6371c053c1f86f0da27e9afbecdcc043878f5e8eaf8fb8e5184ce1795 |
| SHA512 | 8f0780d730331f618779362c20012ae7d50161082c9b627c4c03facd85010293cc1f4a2d71a3d6d12a5dcea851bedff31206d246801762a2700f572188a81f15 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a6f1d860fb41851b92cd6f8557d93e82 |
| SHA1 | 9accd826613b07fa4a03829d0082c3126ad39cf1 |
| SHA256 | d63f89d33467acce77bf122216777e1148f5e4f29166c2d5dfaad06d9877c546 |
| SHA512 | f4c0e3a99e8a32313f9269f958968db63057f58c2ce911366b21142e9858f32dbdee3b0d72d1cd485e510303ecda9851bcf3a62faaf065d5bb37c65c3655f5ab |
C:\Mint0R\dobdevloc.exe
| MD5 | 135654b6a687e95a2dfe863c72efbd6b |
| SHA1 | ea0d13f9f07259eecbeab96316a6577a253d678f |
| SHA256 | ce6e9a205b70aaa9638ce9914f0a1b003d9698119abd8e3a874a216290f7f11b |
| SHA512 | cac6908e43d251ca368c2f17ee3422f1d2279385a17d5bbec6bbc84f498208d7bcc1137950bb770c13dee92a5ec80d36cf3ab63b5637f37334c8683fddf53012 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 00:40
Reported
2024-06-13 00:43
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\AdobeZQ\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZQ\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBJ\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\50dc838f909c3f2772c8ffa84dba5940_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\AdobeZQ\abodec.exe
C:\AdobeZQ\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 6e8a0a8e41171677383e4988757232e0 |
| SHA1 | 2d62b61bc29c788cc3297885f913ca8bfcc6ca2b |
| SHA256 | c065af1d891e9c99aaf771b64dc9ff893093859989973ab3074cfd4627ef5032 |
| SHA512 | a45a6118b332df0c97dbd30ee04cbebaf6764a9f94936d138ae316f228176984031b6793057a9c9151731c6e6a3313107b048f4c701d969808e452f03badf0f5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7d95a0ecbf4cefb7da8a2936e1ee7eb3 |
| SHA1 | b20e4962b78684992716aa7f53097cd081ef1e0a |
| SHA256 | 836c093441e24ea40935c60bbbd93685b45fc93ebf2360490048c1d7ce0f7657 |
| SHA512 | 8f930264feeec2fcff07313091cce9acc88a7e835a46c0a80f37ead77f19fbe695a3ac034536e660aec9f280b06580199881a876b964e3082052b55b5a691474 |
C:\AdobeZQ\abodec.exe
| MD5 | eb0c63ab1da6660e272d7b24027edf8a |
| SHA1 | ef879a9f53d98468ab200f4f4fdeba286d50c399 |
| SHA256 | 6ea25695a9aad32904703c66f8beada7524903e101092b29b376f2f7cce84be5 |
| SHA512 | a767c6dd453ad3f06291187328b241bf19123f2bdd9df15ba19e2e2b491ad90fda38d99de7a011ea0aa3b6ec5be7b07d0c4a40379a11377d182a1c26a87785eb |
C:\AdobeZQ\abodec.exe
| MD5 | 43d9edf10c798ea216f4cdd027913284 |
| SHA1 | df4fe0fb48ee5be7e78d4a83aa339597413d22b2 |
| SHA256 | 1724d8ef0ae05c32109f4255bc44a69b360556d23284b1e1468c0ad72c3fe1ab |
| SHA512 | cce395700a8f51ce901ae629fb01e1731d1839e03be3f2dcf6b51873813f9d477952413aedecb78e648e7fbab741aeadb08a615b8bb62c49803a0e2f04bdec4a |
C:\KaVBBJ\bodxloc.exe
| MD5 | 49050df08d44a574acbb9d0c2c02c3b0 |
| SHA1 | 539061b5b19f358a39ca9d013f5f68577696e126 |
| SHA256 | 64b4883067fb2e8cc4703560451cfcb453152ac1bd05ebfd895d14ba81cffb18 |
| SHA512 | 3274f568472d5454bef9a5a42019bc9c4cb04e847b0f09c42f1851277c7d08de6b0aec8bc9b8ae0585d34a8db9946b23c61de89daa546475acaee97979f6a598 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 43b9cfa445e663fac0fee441d5adaa1c |
| SHA1 | af0d3ffe82bc20081e5b799a0575eed2d0cd9890 |
| SHA256 | 5f47be965c60a6fd48b476d5d4d40f0a9f3154a2f51ce821044383838a17fd95 |
| SHA512 | cb7427674082fe0804a6b50548b5b1eab8a071efd416d1dff82b0dfc0f8f593884c71cf53f9f09aea6f6ab3bf2b8f27dc19d9d8856d21684e1d07a8e1e6d965d |
C:\KaVBBJ\bodxloc.exe
| MD5 | 2a0ebbc4d9547e0f34639bed113d53e0 |
| SHA1 | cc1d19461e9a49c81d33df8306055bba1ad34017 |
| SHA256 | b1398d65f9466e567e35349932ea7de1b3234f5081b215cb52cab1cb4a7ea83a |
| SHA512 | b89750f24e15ca667b1e80e80ce5d1917301f8d0c3e37642d5ed9d54f3f9f9167ede5980fc2af95ff358bd23ff2575f38ffd4cf951f6efbee56ff9feb678e13a |