Analysis Overview
SHA256
25d3cd4ea6de705f38590297f0025ae35b12e5acc383fd4262c763efabc92a8d
Threat Level: Shows suspicious behavior
The file 5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:41
Reported
2024-06-13 01:44
Platform
win7-20240611-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\IntelprocOK\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax44\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocOK\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\IntelprocOK\xbodloc.exe
C:\IntelprocOK\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | fad567338cf4c6fb8756d6455227e77c |
| SHA1 | b1089806d95abd48e53b03e71ddd429bdaa49a18 |
| SHA256 | 5fd0deeeaeaf16f753c5d0b07cd46983cc793a243869cc279af4e38df514dc88 |
| SHA512 | 91281c86372e033f1d9b488b879aeb6415b9576f0d827bf1227a54690c94b400438155915ce5ffe5b70812c79db617feb918df1b8490351547a49e86b8d21d04 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 17d53db71870e91800fe8d157c41d65d |
| SHA1 | 4fd4f24c9a2014d6753ef39f8a959e4596a0fa00 |
| SHA256 | aa30216b9ee9982a0e64a64dca0ad0d74c9f71ab3b2329c510cca48ae2a0d8f4 |
| SHA512 | 7a1cdec63ddee8806f8a601b8996e3febf041163c3f736888cda75229edbea6175d6a3c6471aab76d52a5614867e7b52aeccfe90a3be9f764467a7deb979e3f5 |
C:\IntelprocOK\xbodloc.exe
| MD5 | 045cb633af0c2e5291ede34bf85fb961 |
| SHA1 | b6a015dda952232157c0ab42a7b690d799cc88b2 |
| SHA256 | ad8da54ac9e5d74d22599bd1e87eed2281a8455673d04af79d55173b1ff41864 |
| SHA512 | e24241d32f64e51ef7c568d317406557ab4e833ea1862c16d625181e08b0c14bd71128d6b01923f0c0d17527f6d4979bbb9b6f7ffe8a881403e36418c53e04a2 |
C:\Galax44\dobasys.exe
| MD5 | a11f76255b9ca6234bfd6aa66474643d |
| SHA1 | e3cc3fe2e8e1a624e3288e828320a33d91a8d733 |
| SHA256 | 2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6 |
| SHA512 | 5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 31998ae7737aba476d0d14f0cea038e0 |
| SHA1 | a3d5454c716bec1f6df96b130d180ab0d902ffb3 |
| SHA256 | 1847cf21b9bf3b46ea7053de0e3d198008f6c8e0339ac6a289aa93dbe14a4dbc |
| SHA512 | b724e71209f72b2d0dd3582670bbc77e1261b075f3d1e10f595a63c29f4dc82adafdff6a3a856880a80ed92e1f9f2b26b5ef9799fa411346d500231f6b1fcee7 |
C:\Galax44\dobasys.exe
| MD5 | 563207ad30f7f812f2e593c9a2e245d4 |
| SHA1 | bbb466732510845001b65d198338d3ca40b7035c |
| SHA256 | af730053b04f5883e4e7ff948f3494abcf14f62fc9b138cfbfd0ed23245e98d3 |
| SHA512 | 34fa6c85a56300bf23933d2221906343f7a9fa79cca5e78e48a8b294d88a3207efb1c47e0b8110245efba198cbe977b25f9869d6f9a83428e00c73f657370029 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:41
Reported
2024-06-13 01:43
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
52s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\FilesGP\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGP\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHT\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5443c2ef3d4c96bb7a75a6bea6d9c6b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\FilesGP\devoptiec.exe
C:\FilesGP\devoptiec.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 4fc5f4a70ee0e6f317e06c7ad89b60c5 |
| SHA1 | 8a12b0faa89120058c80af5f8dfe7ae8481195d0 |
| SHA256 | b5748fa250809de65cb9241bb050209aeef9e95599b53d6653b73dee8564a0b1 |
| SHA512 | 26e08de9f92989bc95ad89576263b70097e32d278c5092b84e4147bf1bbc6fb475a03f3834cf8e88a94dadd64d6e58932089450be896d1948cd2841a4d9d92b8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 31b0adbdf8e4f6e2a1a19683138e7063 |
| SHA1 | 500f84766e6300a8ec0a07e3a518420fd9c81918 |
| SHA256 | 54ed2b5f8de91bdc97dcf1f8f9c47627d50fc20186b14a544d8f679b7d2096b2 |
| SHA512 | 7dee29871e73608af38958ca609ae7702ad22900d1acb0bad64448342a07c0585ec49a3a798f0b9b2bc317f654baa5489fb0e0aae3def5deb9a4bb134dcff695 |
C:\FilesGP\devoptiec.exe
| MD5 | a816ac3b873d127d869e4ae4ff56f0d1 |
| SHA1 | f309c45e5aaf0c4cf89a2cad1343687da829fb50 |
| SHA256 | 0f4ee05667b20d486da8e9bdd479e6484045e6e3c47112f413b7d6dc5bdf9837 |
| SHA512 | b13c154b3727201d8ad4e83ec36b86e662d8407b8bbaa7f3a1c46812be1a9053588b93aac19f784394fb82d6cc6d579dabca25c19562433c3e0f73a637f0ed37 |
C:\KaVBHT\boddevloc.exe
| MD5 | 352d477588342bd5404ec66ec57d38f8 |
| SHA1 | 397a685ce792ccdd25cb9457bb04d4d8320cd906 |
| SHA256 | 0a179746f07893fcb55196e79c0056478bf8df55acc529618ecdf8ea4cf9cd6e |
| SHA512 | 5acd37b2861dbf9d90bf58aca4358761942af8bb4b090d297165c909dec3f2665ac43f4c8a5286a2cc35aeffac2e35f578c82147e34b5687a01d7d51d7f9e98d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | eded7e0a4251054d8155757e508f4aac |
| SHA1 | c06ae7f87a019984ce03674928c9227211976384 |
| SHA256 | 686a11a1233625cff23d6fb001937361a8a07de9f9a7ba0c39a5372321027c98 |
| SHA512 | 4ec0b14e5bea7c095c4540bd802106c308d26cc3ddef80f385950d860c93d082cb4ffb85a106e4f26c0ad2c0c7854233e2bce84c1afd4499993aa495ab47118a |
C:\KaVBHT\boddevloc.exe
| MD5 | df281bfeed20966154202479017c5833 |
| SHA1 | 4bf02ba05985093e394a2a23df43add0038675b9 |
| SHA256 | 5413f4323302e1679a11a57735e607bb6ff9d272be4b1c4c1760047c276d331a |
| SHA512 | a99e6ed87160371c89e4227c2f969aede9f83aa0e79fc383e7ec10c798f9bcbda8c8724403693b72590bdd31c583835bb832da6dc5552d02abbd633c705ca590 |