Analysis Overview
SHA256
b4926533b6b68f8d543ff3bee797de5fe563f6b5facad7acd95f87bd488847da
Threat Level: Shows suspicious behavior
The file 543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:40
Reported
2024-06-13 01:42
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDot8J\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8J\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKO\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDot8J\devdobloc.exe
C:\UserDot8J\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | c1b3acdd4d1392f8c3b5fcc1becb8eec |
| SHA1 | b4fb96c6c526abe38e78a9e5b7fb1f6be2940af1 |
| SHA256 | 743008631698d4f4a90cf8cff1bb839ed3c7a1a0a3ea80e5968162a9333fc0de |
| SHA512 | d58a8031018695733fc8336d630b43f8169af9fc6aebb7431af4c8d31038d3f7c9ba8c8899bc526d156ec4228ecb4bd0316b092c852cbda2cf70a7ca82ffd453 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2ecc55747fc925fc8c6d99f1b110d7bc |
| SHA1 | e4831058d9d11a9f1b17b3e926bc6dc84e8d493c |
| SHA256 | efd1c9a7b5d474c12418edb64c8832f41b04036ce2009c3bd62db61bb9611d43 |
| SHA512 | b718a7d533b2a0f58e664794e8dfa2e58e1cb6d0bded3ea992416681b7abde305797a7ea6dd4f627d2fce022e10e96891f7abbd8c057f911b9f2dda529e21fed |
C:\UserDot8J\devdobloc.exe
| MD5 | 9723e6b6d606e3945a610bffa7b7fc5e |
| SHA1 | 882bf10e7001e7a08974b847bd1d7eccb701b83b |
| SHA256 | ebf5a0e6974c880d88215d9573ed791b9065130ae885503d600862b442c17edc |
| SHA512 | 28b2d1a3ff72407c9f5d2ebe45c5a781226cea4a3f39138d25bdcf52e6de68d8d922ddfe27ead686f7294fbbe03c40000b7d79cfd44f46e5e29d9ff57f12676a |
C:\MintKO\boddevec.exe
| MD5 | 586dc09d5804dc54d44fbabe2f70a2f5 |
| SHA1 | 1b5a9a763950331479ac1c498b03264cda1e5e0e |
| SHA256 | 33712f6263ec98ae8ff353abc33c5a663b2c766cbe5c8a49229dad2fbfb8f079 |
| SHA512 | 54a9d8562e63f9b26ca5680b6e9a17abb896ba1d76fd279957335198bab32efc42361d0585349bd615b1859a022b024d4629234b578a41c99310d0b00c64998a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4731e8bba6894ea00b8440c806cea1a4 |
| SHA1 | 25e032a8035400c86c42f6fa779ad5accf861362 |
| SHA256 | 843de1a99dc9f16f583b8daa947416ce6e4dd73a56a9e4383d542d7ca46319ac |
| SHA512 | d62dee095aef7f2f254e97e0e6497e53f53a1390d03717197df453752df1e171a7dbba188f5d9536610b4ce225ac29d550dbec14dfe7f95493dc21966d9a6b1b |
C:\MintKO\boddevec.exe
| MD5 | ae11ddf571c80692a0eaa2ade21496e8 |
| SHA1 | 7420a9e66b8f87b51b7a967fff2331c86cc757b7 |
| SHA256 | c66fbee9a424918d26868c5bde2d3c7caf28cee25cddbc6e81fe0d26f55ff72c |
| SHA512 | c2a4a43f8dcc39dbfb159ee2b22b71c2c2a269f4f4dcc554116a74a21a11294fbef70ccd93d547eec73142c3b78783e11b478f67a4fc7efceb9e6c8c8f321f7d |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:40
Reported
2024-06-13 01:42
Platform
win7-20240611-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\IntelprocOB\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintB1\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocOB\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\543bcdca28db88817146e944b5a43320_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\IntelprocOB\xbodloc.exe
C:\IntelprocOB\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 37ae12adf7b47d01c4cc4dd2fb9b44a8 |
| SHA1 | 1ee81092df9f9b7395a64228bdd925bfa5b47e39 |
| SHA256 | 68e1d872030df43aeff8d17a46a4b1d367d3fe54741ea86d7775b6138908e9f6 |
| SHA512 | ccc1c47dd94cdfdf76363174fac155f48793cfa9f3e76753ec8a8d6567902e13f8bf36ae096a76aa1b53abddc94e04581c709b453657547158dc0b43b5aed9ff |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3a6e8ba08d2754183ace33a14c192b39 |
| SHA1 | 814c5d5bf5fd8ce731f6ded611a0990d3337b1e8 |
| SHA256 | 5182645d6559c2e0aa97ca24f330f8da413e8fecdfd156efe16ded47d44166fb |
| SHA512 | 2d60279c522c66973f1174da8d0f7f66ea66ab4a77b387b88f51208320cd3b383fabb70bd2aba6ae65aa168d204fc6480490da9f3b699f47ce13ed2a764dd537 |
C:\IntelprocOB\xbodloc.exe
| MD5 | ffa738bbfbbe009c0dc2635e1f78136c |
| SHA1 | d0e15108a7058f59f72368aaaeece941320a3cc8 |
| SHA256 | eb769ca0289f4154e6a41eb744b1870ab5ef1d0c2d231039e7d2a60cb8fd8ffc |
| SHA512 | 58ca37d575df7995183b57ed62b988488b265c4f126db3845fe6c634eb5c3471ae386e1bb92b259361ae948c492a9ee06f6635ebaaba194d86af6dc88228bcd1 |
C:\MintB1\bodasys.exe
| MD5 | 9b3d00a229775889bbe446e5ff2d7949 |
| SHA1 | 85ee2b4d4b1c5b4c606cc6257ee5c866357f8edb |
| SHA256 | caad5ba0d769db6646629b38fe16f807e6eaa2b02a2fbd7bb454e5f3d66d50e6 |
| SHA512 | 4b83712b0b35c1c4160aaafac761ad69ce39826a7a26de01e14bbd5c5d160676ad89dd17c92c9489312e3d485d28a11a99a435686219c2afd8d9fdba99723e79 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a9e4e3bb5dd58473bd585c3eae404a69 |
| SHA1 | e0a3f7217c6d45921690585c2a532d58e047620b |
| SHA256 | 6f990f541c80fb262fe89c17430fb3211f2ec654c55eca5d9a84ba74ec7205c6 |
| SHA512 | 8063ac7b99868c131964e2a2cee3bc119573a5dfd4008144177b98273f94c3c2968153461bcac202cc8c961777026e0c8ba69f511f3192bd969cf8c296c0f333 |
C:\MintB1\bodasys.exe
| MD5 | fab97463cf3f4d1404e687844122365e |
| SHA1 | a70ea88a2db3a06fe70135ca7b2b7bcdc262e578 |
| SHA256 | 8b33d5703ad9f11cb9626c2c89bd78a56769cdd16f9cd6bc13d480f61e937691 |
| SHA512 | 0001da8c7a5e88e218621627c0b1c5a33128ea5c05d038034946da605893105f710f8e3ef901110324e03581f9efc48f4225eebb963bec8bc2d578f095e0eded |