Analysis Overview
SHA256
94b9e01b20bea27442466e0e06f276c0d61885e457a4811af978def1e7fe16b6
Threat Level: Shows suspicious behavior
The file 52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:12
Reported
2024-06-13 01:14
Platform
win7-20240611-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\AdobeDW\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDW\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJH\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\AdobeDW\devoptiloc.exe
C:\AdobeDW\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | a8cf6852de11a387551e6b059f7dc52b |
| SHA1 | ccfadbc9438c7c2525946da8688ff6cf3f799262 |
| SHA256 | 7a50825e8b771562e8bdb0405571730282154a3c2c69c6ed3524d5940a3c43d2 |
| SHA512 | b4fc4a4c3c91d3776fd70e0569adbbaf45ed3e637564c9cba6e60dbc2ebb73a2c7b91043f7e4f0a6dff688bd396a0fa56952c8441a5abbf8bd4d9b6e091e2e33 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2f1de08a41d626878e146ae25f966e1d |
| SHA1 | ed81d284ccf74206e74a48197d7b243682eb5c46 |
| SHA256 | 44938ce75952d453724a3ea8ee66090101889a2236374fe21c06c1829b554a67 |
| SHA512 | ba36e499c9eb00e1a675ddb563a09e2c821e6e39313f85896c14d408f7138f62fa2adf65abe4e5e5f098d2741dd09f880de88001754017bdd3d940132f0d7e7c |
C:\AdobeDW\devoptiloc.exe
| MD5 | ac0b3ef698fb203054e93581a62d7239 |
| SHA1 | 7826b5c80c7a210388d24a41ad15d3dea1c49006 |
| SHA256 | 5125e67681846ce7073095c47527dcd6cfcbd08daa82f40083e62119612ebe1c |
| SHA512 | bc84e89e785fba8a100ade2302e4253e54d9915066403bbea7cd1734741c6e2ea8185b673488b81327872bcfc95a122ac1a63e09fca61008d8698f4f9ced63b5 |
C:\GalaxJH\optiaec.exe
| MD5 | e09102d2a49b90087a4275df9a4342f6 |
| SHA1 | 6942e0f85016ed48978f12ca1a83799ba8f3b9f2 |
| SHA256 | 1dd56ecfa6e6d124fb10e4998b57a8d29d71e85d44af6b8d8b8269128b7be2ce |
| SHA512 | addbda88e22463ec7f90f8a063d2536dfc074beec3382bb7ed40471982dcfb363e664a05cbf325e56611fcb2d84809d987da260a7cac13dd5879d15e22d5f9c2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d312d0cd8aa1f9238a1162714bb62dab |
| SHA1 | 46ebd5fd603b542b127fe57a6dcfaa60747f47b8 |
| SHA256 | 099f4f5e02a2b83fb1eca902b0f3278af82d381f1f9e457add2cff1d3848e85d |
| SHA512 | bb7bc238e5d403a87aea584bab7bd8920f2c62d79ce0ddfb30cb40f1d02a43c07c6bcc2495df3276e1074bf3aa2c913e69d7846ac4338b4997dab92aa5697f5c |
C:\GalaxJH\optiaec.exe
| MD5 | e6c7800103c7e249db74065d9b9207f7 |
| SHA1 | 1ab8fe91308069d542b2311c89585db87545f859 |
| SHA256 | b6375a1fa06bb1336d79e5c34c45df92c078005fb56714838b320b5e51f6a8f7 |
| SHA512 | 796b4b66a907e5e2ad0b827ad6904205904e0369d2a57a804fae9adfe715e287a149ca2fd840b71db705a563aaa4d4cf3ccc651bec1cfb4b4b1339adfffa76a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:12
Reported
2024-06-13 01:14
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocI4\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZW\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocI4\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52c497aff26ab08fddae0593116e73e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocI4\xbodec.exe
C:\IntelprocI4\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | ee97a7c9c230b78324d127c8539c5368 |
| SHA1 | 40cd69705cb7b1bedf01241c6f52b4d861f5eaa8 |
| SHA256 | f1c8f66e701a9707ba57d579cd2d31181d624aa60da45717b5444876f2aa4fcc |
| SHA512 | 14736516de00d6e262e66e470a870420dd78431429b9d03b4a29cb0dee023a08551ccd7cbc8c3ea79b565b3bbbdefe52e871c39045718b342c0defc06ff01a0c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2d64ef2bdc7f1edd725021a96084e36d |
| SHA1 | 89eb7c7741c9ed87009ab3a8518146dd0e05d9a8 |
| SHA256 | ce260c614f4d6951eee4c9c6ecfeb416322f64e0ef69546d1c2d725c2ff84a20 |
| SHA512 | 9138b20b5c12d7f7fe114814643db2a9223110616cbcfc1b29e8279b296fd40e428483e5efc6c775a97d3cd47ed7e63b0673b1c94e0197ce3efc92c0228269b5 |
C:\IntelprocI4\xbodec.exe
| MD5 | 79b348e3015301b3c20e6e2fbaa0d229 |
| SHA1 | 2994f76647fc4483ae14df527c9c3e0f90b6a19e |
| SHA256 | b56bff9e739da48cd85faeb5953095a8601f5265932ccb39ed53079d18d5b262 |
| SHA512 | 4bcba594a6a2ee74b66b478e81f9d8334c0dd49c22c964ec71e083d355a292a57da3cc06cd8b1350232f3e480681b0f26cf693891cd5fefd5247e7af2b5855a7 |
C:\IntelprocI4\xbodec.exe
| MD5 | f2d28efc55fbf5b192fa6c03cc1c2aff |
| SHA1 | fde68016055498c994ff0321823e35da2dfe7cb5 |
| SHA256 | 0e941cfc6f1eb67c25f07c79c6e38860333b657b31b0424143487c6b6c01182a |
| SHA512 | 9960c4721137c0d604dbfb58702103967feafb39e4b90051a1ef91cd3f5ea3a8f34a8c7323d9a0195ca1ad77c9d8f74283d74eaedce49b8864ff322da27474f1 |
C:\VidZW\dobdevsys.exe
| MD5 | af48ca2c61e0fd1391631f72977d5f22 |
| SHA1 | 5a069efa238e8af1beaf6bf300ec197273f50bfe |
| SHA256 | 67e11321d3511a75faedef813b792f1598531262b54e549353e444a1f356ace7 |
| SHA512 | 649c6c2497748df61e4cb48ccdaf89fcac780ea30db667d836839258e29655252eed7c8ef535636c69049b16113fe2ff44b7dcbab942e8a0528a5caaec50df8d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c51e8d375d4465f51908f023d290cc00 |
| SHA1 | e894a63cebe2f7b179bd019ba6b3881a9df8c049 |
| SHA256 | f236437ae50200153a1692239add879b75382cde91ac6aad1e501d31bcf31827 |
| SHA512 | 6ba04755dc5a6d610495c7b2159597674f5aa98b78499d5f5210cde9ef16282456ae799177afcfc2506a4f65d84ae47802bd6e85e58d81690b891b3586ed9cb1 |
C:\VidZW\dobdevsys.exe
| MD5 | 40c926b205f16d71694ba2a0afc844e2 |
| SHA1 | 573e0c6d20a4f5c0aec27f9cac9f0a452a708332 |
| SHA256 | 5aaa18db677590665f9991a0bcd5fe0530a31cae1a93b4b4e8f32a6884ee70f6 |
| SHA512 | 03dcb0a8cb3addc455701266f78213354ecf93a915f3ab4afe703f1842275c3807fe85fd81c9654f339f5fb183172d429e15da5c5f6091efefe76ec156853f4c |