Analysis Overview
SHA256
5a969a29c236fa3ffac806f6ed126922ca69461b9ec7b4ec4eb2a309518940b7
Threat Level: Shows suspicious behavior
The file 5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:45
Reported
2024-06-13 01:47
Platform
win7-20240508-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\IntelprocG8\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG8\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax58\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\IntelprocG8\aoptiec.exe
C:\IntelprocG8\aoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | f5b88bbfd0f1df5595b93618cfd887bf |
| SHA1 | 33eddee5f7fc1de68070c0c990b429a0c2027595 |
| SHA256 | 19d8c6bf88efe15dfe7144e0e57a24bde16f067f12d1b7496e68d705ec4b9f8d |
| SHA512 | 62b15cdafa28b864b7203f58732c18c0f9a1aa9299d9c888b2e0b94d147c6f08a6f1bd4f40bf8deb8c167d3a3f374a350833ad31f544fbdc522981bb87677924 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0bb203998aec7437dbf1b005d88a4347 |
| SHA1 | 488fb3a3e017c3432de23b65e8370f7647a6d268 |
| SHA256 | feb26d5e4884e8e889eac1b0bd6f6b823ab99e270f2db9ffb58312ccdd14c13f |
| SHA512 | 1f9119adcdd126186e1f8ebc0821bc838783a42fd6a15092b4e9bf8f30d8f66fa63f26226327ab4bcf9907eb9799838d247b8a01ec927d67db43dab26f5d23ff |
C:\IntelprocG8\aoptiec.exe
| MD5 | 88a2a4090700dc1cb60de322d8da9016 |
| SHA1 | 020c6e71836af5ce30ce70eb06ce9a7a2c2cff3f |
| SHA256 | 9926f083b3f9b910d113a531010b4d4fd281d35528537d70595da0c2120c9688 |
| SHA512 | 8dfa2afd3d76f05eaa7afe2f38eccceec3b9818af5b6ee0daa8af7c16a77565698c9e5ae5680ac30805185e018980ebf5c7322059e55435e038c65490d5cec1b |
C:\Galax58\bodxsys.exe
| MD5 | 1a1b0eab5525526d487ae17147bc5631 |
| SHA1 | 2a446e103b919f18cfd85de3d2e43047364fcd1a |
| SHA256 | 85b90c1f7a3f39f372103cf404778fffa1d0f93953029e8914a204b31fbfb357 |
| SHA512 | d7daadd461a21dc04e2c91bb576039dfb0dd03bb62394c3df29c676f9e5f010d6cb424dc58d35f87cf13fa4f541d3d6b90f7fd2371547160fdc28c9261b6bb96 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b650f4b2bbf50d75a8ad6d5ce8fceae0 |
| SHA1 | d6e8702c835f674cf8d239f8a4b36c31d3e95341 |
| SHA256 | 9def1c801c33bf4df5022417834e27709117677da96d8435cac974f396da3c90 |
| SHA512 | f3535d46f43f1a8b0794ea6d266f454cbb50df3c4cb48c72cd94154583b4095b0a37249ddbde9ae69f15c3f0d60074acf3960fa5625589df9a9a07e747bb48d3 |
C:\Galax58\bodxsys.exe
| MD5 | 943762fc7b6d88eb2fa3a2c2c86ac89b |
| SHA1 | 69a2f52223148d49ae0352e601851a0775167668 |
| SHA256 | 8ec265a833b7d2d7c55425635c89a852094c59b15dec9d29c4bfe2272424b813 |
| SHA512 | 4658a0c0305f7b46f01b0dd785ceb0fc414e5d2ad60b5d410cc7d3b123fb68b2596e9a99797f63a210cc6b376625722130553971b0a21594d5c5f05bac7ea594 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:45
Reported
2024-06-13 01:47
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
57s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\AdobeQ1\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ1\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUY\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5474daec32eef07c6a4989726683ae20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\AdobeQ1\devbodsys.exe
C:\AdobeQ1\devbodsys.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | ec0b88cc7c2580fa1d26b0fb2dc6b0b5 |
| SHA1 | f4b826728b9c932d472f3643a2786b7287a24968 |
| SHA256 | 64b950faf2f1defcbdfa666af95614f3c42a26d77ee6c7528beaf56c4ca6fa9c |
| SHA512 | d2443dbf3a239178715b1a0e81fe8d63befebc072d3da9f49fac26470d31cdc146a60726cf2330094872b2669ea55b137f8135388f9296512bbd832da29f3693 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 885ba6207eae5321250641d62dfe48fd |
| SHA1 | 75b9971760ba6bec5a8dd600495fb12a19eb73dc |
| SHA256 | b1ea0a1c226915040ef400aa0a4bfe30aeb0789e1a600376de20e51a5c93514c |
| SHA512 | a2cbc0c3c144aa12aed94a96f350dae882e029a99d0ec0875f39889ea4bad563f110373b6af37af57c970124feea506c5df292661717bca5d0f0461de0f53239 |
C:\AdobeQ1\devbodsys.exe
| MD5 | f6b0d1d4ea9284b23629141a2d60d26a |
| SHA1 | 86469e028d7718252f808f7d584f3761a23683d7 |
| SHA256 | 87fda858c46a29c2deda7fb4f3b73bbde37d9baefb12b19166bef5fe3f0d8410 |
| SHA512 | 8a02eca73d3a24f4b49558560e64a24373a3adb458f3cf37c4495794e737c6fecf6bafb1290894ac7bbda28b371066385b0d02ec4fe491d522aa9bddc1a818e1 |
C:\AdobeQ1\devbodsys.exe
| MD5 | bd96428ce8c263b40c7de7061c5e0a3d |
| SHA1 | 398424b69c4c97940d4b804525b9084ac1e0a446 |
| SHA256 | f5e85dfb89632318462e3d97a0d78ecba17c1f8fbaeba453959f130316fd94e2 |
| SHA512 | 481521434bc33ebe2f1e49441343a5e1e7746bb8bb7f1411e41d4bc5b03c719f3e9c8f9767edaeef464a669e0080aee5fc81b0db52faeb32b7fe2e179a5dcfb1 |
C:\MintUY\bodxec.exe
| MD5 | 2e9a66b754b83350b21648f88780d54f |
| SHA1 | 0d11ac5510ab97707d5532f9533436cc60d891c1 |
| SHA256 | e597c53b5215cf8367feb0dfaf2c8560bb3b69e9a2424e217f96cdd80db5fd1b |
| SHA512 | b55da4a67482d8ca4e5622815788ef121374058d711b3dd474a7d85db7666d66f92b6112b03619fd07016ba7014d5cbcfab88b6740cd6e4747ceacff96dfa54b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 542c9933d8fa18ea3ca019b0c094fee8 |
| SHA1 | 3111cb07b93dbb5f9298aead059e5f616b625740 |
| SHA256 | b4c4c2bc6ea95dbbb0d2ef304191e635a2f2b4e1d491aadbeec5c1e6d3f98d05 |
| SHA512 | b1fef082250b4c0fa4f76984a8aedfa7eb32495c8740a3101cf9e7bc7b5a5341222e13c33261a36bfa035b11b852b7fa9fad9d43f7705b97ddfc63e14bc54f94 |
C:\MintUY\bodxec.exe
| MD5 | 6d1aa9362dbee27306b1b17cd37fff01 |
| SHA1 | ddf9e145cb36847648349dbb661d6bee94387fa9 |
| SHA256 | 9767a08c474022509ed7d4e04b687ce3c940ce5dcfc722d634fca9be33daf7b2 |
| SHA512 | 4ecfdcf736a9e781ec264f3f5c8537dcb3f6b24fa7ffc5be765079142acf893bdc6b82094ef8aa1a19f9b6cfb1c64c9fb2a2d81cdf2573d1fea865f27dc9f777 |