Analysis Overview
SHA256
8ec4d8607879ef302ab07eb047db673d7725ca7bf115653a3ffb61f95df1bf5f
Threat Level: Shows suspicious behavior
The file 5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 00:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 00:32
Reported
2024-06-13 00:35
Platform
win7-20231129-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocS3\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocS3\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHW\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocS3\xoptiec.exe
C:\IntelprocS3\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | e3fe049190fcbde15e66eacb91d3236a |
| SHA1 | f4fcebe5b8a24cdfe21ed13992a051bb6ef5aef8 |
| SHA256 | 52eee0bfe08646055d72a0dea3dfb9e04681dc534b7aaf6cd6854dd22a132d6e |
| SHA512 | 0abd2428df97a8c9d74bbb7a1ca73fada935fb0a1f312f10560cf465cf14d6d0d9f569d563ec068708e2730f7308ad1e09dac781d008153f79bfbda39657fb5c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3b7e9c50f656a30a9f7b30b0d5a5db22 |
| SHA1 | 5708bc64f1ba1d8492181f838a37f21b01064274 |
| SHA256 | 2d22997ae3ed19d54ef543420c8b395ac737b3f0ce4a70b371b1c5ab15ca9a69 |
| SHA512 | 257c2fda1b18634c2cb2d7076138ac1af1202d6da7e4743b4418c2bf7e431e277d4771fe9870b4bc75d7125b2c8b4e20bc17678dfd1ac03dd5d20fa35f7d2ef5 |
C:\IntelprocS3\xoptiec.exe
| MD5 | f07b00f1f39e26b8732c130f9c49ac44 |
| SHA1 | 7a0d5ea44496696bbca9438ba3dc001ceb3511f4 |
| SHA256 | 3aa7aac75a19fad1363393f0d1c52077e53895054b188d268978739498be9f51 |
| SHA512 | 7a817282cdf01b0e08d27116a70a720bbf4a0de75262a4b49b96d65a20348f6b64fcb0be46cf12f820388e87bbd0340179d6f9268fd1e64df9aeb2471fa67fcb |
C:\KaVBHW\boddevsys.exe
| MD5 | 82b5211767e51809c219013740854f69 |
| SHA1 | 8e5bfa129f771418de5e00fe63cb2e0b97fbe305 |
| SHA256 | f62ffeac3c939415c2542bd18d9350b9765d5fba931d2668dad696ed2f98f115 |
| SHA512 | f1dad18ac669b44d84e90b18dfbdbb1a09b7f17e19aefc9f800580474097772ca6059db69b27f04016ba45321477b40ef59635ee64562c7eba4e795231d71a9d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 202d0936325d540ae456c18834315775 |
| SHA1 | 4148f3f27151e9485adec4ecebcc51dc1a1faaed |
| SHA256 | 7854f3f63d7ce19cb3a8208042cdfecfb0420249cd5a5540b585f12602edc480 |
| SHA512 | 34b309cb9bdc68c00b8afe5d36d5e8b784f8ed171901264df50687e3bed3b8e4e775ea573314c645219b27594a4d4446509f10da931e015d736a9d80b24c7efe |
C:\KaVBHW\boddevsys.exe
| MD5 | f460e8e7f24e5db3867129ebfa8e4fc8 |
| SHA1 | e97af7f1289b62810013cb72c1b7ffa81bd7d5b6 |
| SHA256 | be49e691fbe88068ab7233c794548d346537768e716fb652c7d60a90d0acf4d0 |
| SHA512 | 97375a87cd9245558b8d0aac213f938801e3c265beeb471a980287b5d842e77d3722a220d9f14b66b54fbeea1acac565a7230e5dcea50ed3731af5d08978cc05 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 00:32
Reported
2024-06-13 00:35
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocDV\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDV\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ64\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5066cb38175161a8636ef918df804b20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocDV\xdobec.exe
C:\IntelprocDV\xdobec.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 9f5f1d179045ff8f9c1989680df467c3 |
| SHA1 | 37ae1da3b579eb0cade8570769ff5498d3e08a8f |
| SHA256 | 1a74694bbc76327f756f26d2e20abbc87f0dd8298f5a61dee524541d8ae7c778 |
| SHA512 | 63f0e6acb5f0ef25bdfb55a3de476847c9612fdcaed22f1ce8b3ccf9c5ef9d1c556a21a08238252143755e0c3b783a24c0a0f2c799acd9b250a9269bcbb68c27 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 69dfdbe51d3cce9e10b1675ce061dd8c |
| SHA1 | 2cceff0a181eab82b38063a1f72373062998922a |
| SHA256 | 86f886c10a46cf2c332369a44099efee95ae0caf44e4cf377d72d92162a7f973 |
| SHA512 | fefd606fec76fd233c984f29d8ea2bb0f3013a4513d91e0a415b7b2169c8675303589e154a4d5ff928a779d0e26a23d98391d9707efc124170625e2a9e3da111 |
C:\IntelprocDV\xdobec.exe
| MD5 | 63b21269c40855efd4bc5d6c6f2b6157 |
| SHA1 | 54961defa00ff6365021432da5427bda8896efe8 |
| SHA256 | 2768b58d50c35cac148b93c59f8e0d9a01af79adaa2491383e0c54140c7640cc |
| SHA512 | 3dd4b41c70833489f1416bfd56a926fb8e6ec13c5d795562ce124ba57073e3e6d20b060bbf4551d52718b9b6c27513bb1fee7dd9d6a972ad0cba8ba173444814 |
C:\IntelprocDV\xdobec.exe
| MD5 | 92b1eb171c3c4369d761d3d287adf781 |
| SHA1 | caff29a318c76279507476f578ba796b808eaed3 |
| SHA256 | 9275277517a6adcdb2e90fb4a4f1c3f05869838505012022183ca6fdfff74c5d |
| SHA512 | efaca4400b485f282a05ab5e334bb46d469c8fec328f1938747bd39fc42d21d880b679b8657c0f8463b8848a51b26dbbad01a9a964cfa1cbd37122192cd9e7ab |
C:\LabZ64\optixloc.exe
| MD5 | 4e442a678733ca5ac09c1e03711a42b6 |
| SHA1 | 7943a3367c0222513b32ff8f74e7a17af001d883 |
| SHA256 | 1339bff28072c36224735870f6e5938e134e3ed76bdaaf1937733b38ef2dbd97 |
| SHA512 | ff55f2602b4a397141963148348951ed356d6e23fca3acee1c86a28c12b8073865859cc2575956ab984276538d63d4b173d0ee082f304e8ceb9922f828b66d4e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f347310499a6f481ac51b88e7ac7f704 |
| SHA1 | 1d58190e8113c4d27428043f2b43408b61c2db89 |
| SHA256 | f3573740605b1c2641234029dc0f320825a955f4da00246d6aceb659c400fefa |
| SHA512 | 2724c708656b824c173b2ee2951793be53f71c3467397ef8f5d7af190b4f5d544799048646bcfb9f6e2d094e553c86aa5c6143a0e96bd656f8e6d6b9af49943e |
C:\LabZ64\optixloc.exe
| MD5 | 7c6ffe1f2e4636c3e86149249a84a64d |
| SHA1 | eb02f5157a62215fb1d6a0d11753e6ae46a3e701 |
| SHA256 | 6f2a13488967f520c3649cc635bd926bb825690850e1066201122f39ec6e5d2d |
| SHA512 | f2b065bff81860b53d26ef10be0bae186d564941cb681aeedad718d77917aa63d82136430bda4a8e7162ccc33e918ab781f0fd513106967ed195c047717b51da |