Analysis Overview
SHA256
4e9baa23702fdefc510b7db09b40d64586041fd5d963cecf081331262f857e13
Threat Level: Shows suspicious behavior
The file 523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:02
Reported
2024-06-13 01:05
Platform
win7-20240611-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\AdobeOW\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTT\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOW\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\AdobeOW\abodec.exe
C:\AdobeOW\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 6b122db261dbb2ca9bf9e883670b98be |
| SHA1 | 4dace98d997f7baf659dcf05be95cef348d8b034 |
| SHA256 | 45c382e81b918ce665d85aabe4ffe003a110f0bda51c78c641d7329f80cd8023 |
| SHA512 | 45ff5c5130b0767aa72b574519f2b3aa85d47c86f1166161428eb85e211d75bb3dbe3c6513a61d6ea4c2ecbaba5fd2c9dd95acdf1e4b9db5c8cf1d70c368d42e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2ce2b6862db789f95b47e97d6c673c61 |
| SHA1 | 8af16c67815f931ca187c82a6928d452c17f2574 |
| SHA256 | 735081e523e2c9840c05c15cc2d393bdf1b31b3628225b7c1f3cfc9ed06b5b68 |
| SHA512 | ac45626c84b01304b33b60a051946b3bcb3aac6c5143934c5868dcf01ede7a0fa0f994bf255ab9a703bcb4cbdd92d50049f6599e853b78ccdf14a4d7a74124b0 |
C:\AdobeOW\abodec.exe
| MD5 | c9e20c0f116cbbefbc4cb2f42f1cd60d |
| SHA1 | e20a978d2858277a9439e6f0065d1474e0129855 |
| SHA256 | 60ec9342a4545931e8332e96d8f7bf373664924786a2bf447059b7b4716d3aee |
| SHA512 | b3965a17237e89b1ec695a3c5d5416cc44bf6a453a27a3e80da1499bcf7f63ef5db3ee67e4e71f1fe8f9d2f711723f10d498b40a744f4aeb3fd7477f68251fc2 |
C:\KaVBTT\bodasys.exe
| MD5 | c96461efc46cb64feb9c1051ebc2bbe9 |
| SHA1 | d49222b5b8a8a37b20551c29805a0515234fda2f |
| SHA256 | b3811c3a924bb604cce9e5279daad12029e412bcc0aafab4c1f887c231964824 |
| SHA512 | 308afc332ce0336edff9ce6ab647cf7cecc748cd51419ba7ffac5eb5ae55e9b8e0d77892e311ada5b06937d8c4a739b927d0d69c321ed729bf85b5192c918176 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 751910a25e41a762c3061b448370ba93 |
| SHA1 | 1d925a996e8063b2645b5454863c67bee3b21941 |
| SHA256 | f3cfba08a0b310d074bd412d79ed64cfffa001171d178311057a160deca0e419 |
| SHA512 | 6a40a2597ddf6c3583f5786ef72836b65211cfac3b608d6a6c99bbc375aa7fa05a4e7b03c8eb8e975984c1828aab9b357f86b477313b96fd870dd8c1275ec146 |
C:\KaVBTT\bodasys.exe
| MD5 | 35e16622c4b95c1df7b9d0bcafabc6f5 |
| SHA1 | 8fcea64b8a0af39c04a8bd6a47ba54961436b5aa |
| SHA256 | 254dbd5e162eacb8331641297297b4160431e76d7e818a8cd0125ad48bdad625 |
| SHA512 | 8e1e6f5934887d5adb88bae769db2e64be2b2a75142897e113fced59f91428d0409cb2f46c8039b8d269e701173d0a3f6b26515a4edca78ce973615bcf084f45 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:02
Reported
2024-06-13 01:05
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\SysDrvSJ\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvSJ\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidV0\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\523fc954ff24016f70ed7f1834a11b70_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\SysDrvSJ\abodec.exe
C:\SysDrvSJ\abodec.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 9184a5e8a847aeb6b9942847543f0da0 |
| SHA1 | 544c2f4433ab1c05cc22d98f83f0d015ba9ce560 |
| SHA256 | 2fd41a60363a6b75dbfbd51facf62fb5d23436beea6580bae10956a2c066f4b6 |
| SHA512 | 4503b8228d95818f8110eb2319810427e58d70f5a8e694bbf8928660f28e78c31b0108055c4f7f148e917ec8094630e45da2dfcb2e40fc2dbd3fc62480cb1204 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b4f0743c77c447b2ac2cae689549315f |
| SHA1 | b5e7a6d544102e2edce7b25c84f3e5c99f397076 |
| SHA256 | 0c05713d467b7e9293c2e2b2ca0e8896264d0479949cc713cc6c6c9cf160eb73 |
| SHA512 | 18010afd21933f8dc60bc78faab2067558816c69e7168e7f382cf562940b162f90bf1c55bf6f8943bffad984edb81cb91363748909176109a32a3e6465b8b2b1 |
C:\SysDrvSJ\abodec.exe
| MD5 | c0cb903a820448653d0708b4596172f2 |
| SHA1 | 3e5ef4ae25d2a83758ef277a94e054ff4be9cb76 |
| SHA256 | cbc6ee5fd7eb8eaa0415f18664f6c028af1c2dbcbed1f1cf2c86bb57616a3dc1 |
| SHA512 | aece7bcdca7b6b9b8c08d9bc5c58034caecbc3f328c88919e5e77fe9bc9e4fd1575d2dc228b36449f7ced6df2753a5437ab3654ffaa3c7a289f21fc018d951d5 |
C:\VidV0\dobdevec.exe
| MD5 | 7dd2d4babcfc55d106b9fabff668adf2 |
| SHA1 | b6bc6d4049b4c9fdfe430f9ff8bfc25915e1e51c |
| SHA256 | ef385b47bc0c458f00e7767e384797f60e5926c60e094b85bcff6adfacd29261 |
| SHA512 | 222a809fe3798e6be4c764455876ca90c630d17b589471a4931523ea899ed646335aaaa999ddced6bb2fe0c0a52c80edb2775bfcc0acec8360d00066f5475fcb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a280762cebd612efc8520583ad2c5d4e |
| SHA1 | ac6ab93bfb6550b79824fb34b0e8a0903627e3f2 |
| SHA256 | 574a67796df8630068f91519d43d94214e8a6d4677728ca5ca50087b241454e2 |
| SHA512 | 541f79572ab078d03edd4bf8dd357e2f2de129aa8747f34e9c04810d8dee2f5df7308db936c95ab974a88fe0d0418786a2fddb45fbb8fe63ade9976b8ad1fd3d |
C:\VidV0\dobdevec.exe
| MD5 | de6758215a1c21d0b159fded6a33f253 |
| SHA1 | a4cb46561a3232bec8cc7ba7da81c431128ba624 |
| SHA256 | b8830bd671acdec7170e0f1f42b77ca241536c76ce2f7778c928a35fd4a00b30 |
| SHA512 | 3bb259915c156f4d29c430c12895a0c3033506ec9d86075079d0241c8011d71775b88edba83fa82f65bb8ee1ada345a31a9ccbab2b50da8794a623822ecd7c3a |