Analysis Overview
SHA256
aa040dfae71fe9b295bbb1a377969eaa6acb81f633af37243d9837fb753b10d9
Threat Level: Shows suspicious behavior
The file 55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:02
Reported
2024-06-13 02:05
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\FilesX2\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIH\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesX2\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\FilesX2\xbodec.exe
C:\FilesX2\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | ddaff1ca49602c4441cb40998c94953f |
| SHA1 | b5e1555f195b4e799106d43096e7813a3975cb33 |
| SHA256 | 936b043c0a5006e13c6c27e23411d235e397e8507adcdce9f874db1bc6a9177f |
| SHA512 | 9ee24edf459886a4137d0df1876b16aad3e783b53e3e8bcf53f06f5baedc4683ff853241b317716deffb8e6fda4e4823bc7180a77da94ff56ced3d6c09393a60 |
C:\FilesX2\xbodec.exe
| MD5 | 03d62fb5adcd31f91b5d1803cc223c07 |
| SHA1 | 4d0227a64bc90bf396be90e1939072afa3360fe1 |
| SHA256 | 7996dda94542cef00f2ac5627b14862e875c3762e6ab038e602f251b3efe13e1 |
| SHA512 | 75e7c001f86351ae4a113d01e9eb9792168aa478e2496da2ce2bf1f042ae45221c61b78fe1ea65a5354fa71223320c8eec846c92335a994c8c569bab0f1eb873 |
C:\VidIH\optixec.exe
| MD5 | 6dfe50e295bef9fed845b72bd6797695 |
| SHA1 | 329283caffc062c1bcdf0f7c505f84e25f483cbc |
| SHA256 | 2ffddc445d1f8526aaa5a966eded3993c70e5ed74eb4d75fc1a67cac8ce224bd |
| SHA512 | 6c6a60be10d5616c9777459050d26eac1a74b27b1f126ecc81ab2a19e8dfa0e5863f0f5bed2e2efe117b849abeeb87bfe2b67c13935873c3ba6f038ecd7d6f79 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 22885dd01486d1dea91a2ab413d91cf6 |
| SHA1 | 4d5ee97debb4b700312fa07be9f8abdad9e86528 |
| SHA256 | 19e744b043e8ffc4c0469829cefda2bf1a76cb33d9045b72367f2015d3c67ac9 |
| SHA512 | a31d89f632b2df7ca0dd557d58892bce5eff63cddae20c587a200ecb7d434ab5973c55c1d1c3791b54c48ee67b703a75db59f2849003219de92b50ec1ff55623 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9c218ed8f55ab016c5b37e1fcd495693 |
| SHA1 | c71aa3b792dbd4e2cf2497081441e0d0eab108ff |
| SHA256 | a7daea5640684aff66b75e9be684204c90cd1b45e8220be7c82f71792850ece9 |
| SHA512 | 59e603d2309c812ade9cf5d05490035e52a991aeb594da232b2481f2e2bdb5bd043926345791f8255e7d3a3cf15d5887278177d047f9083ac17692606cf30f31 |
C:\VidIH\optixec.exe
| MD5 | 464eba4f6a3d2bc776ecd5d9eb95b46d |
| SHA1 | 3b8292615edc47d8f61d30375e2a458e3212fc32 |
| SHA256 | 57ef475f27649f401b99098644f89eb486545039a585d19f0f999119b84fa69a |
| SHA512 | c0c051afc38187b0f0b5dcab89ce1cd3103bd97d0240802c9c517bb04abbdd71c93ca7abb028d28c2e86bcb74730262d49191bd9d854b9459f6177f063adab01 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:02
Reported
2024-06-13 02:05
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
53s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\SysDrv76\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv76\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxG7\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\55b4d8c5f9f12ee6b3457fb9af215380_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\SysDrv76\devoptiloc.exe
C:\SysDrv76\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 5a64dbb10f519ac99f494823feb4081d |
| SHA1 | adc9765e3ca55ecb84af3a06c2a6c75e73a9159e |
| SHA256 | 4f96084752d83ebf123265fa9771e9ecc31457c6b2d60df6f0d35a5b972fd4ea |
| SHA512 | 3eb673a01adab1d653351abed932bb453dc7d3ad7dabb39f57bab935913020585c78e012577f4769e95506375353e0c09232a9e51bc58258d8c8c19b72a7d1b6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 04ba5039465001cfa5ed3a3549833717 |
| SHA1 | f078d289f5b66c63ed9379742f0fba1b3be41ef5 |
| SHA256 | 1dd7863a676e0116014ecb3af92b801f0eeb89de7336d157d0f69158b8e9fd85 |
| SHA512 | d5e30f5c7b8f8f91a39acba519aae026bb44b49eb1ed355959e86f2d7af19c07effdc9177c07eda2e4906ef01d78052088fa09a348a1907d25b156a1b9726a92 |
C:\SysDrv76\devoptiloc.exe
| MD5 | 7e10756712d2f0e58332f860544d5d3c |
| SHA1 | 6beebc56ea1f39d2873c7c01b1990fe9245c7fb2 |
| SHA256 | 10e256d1698f10233864944f94c9e123371e88069d5bd3322b02a3ee4dee7795 |
| SHA512 | bfed27e19bc092a1ce3b8258523fce3c7636602dfce56e8ba5bc289de7a303e28743f96fd579e994af9c4ff6e3f328d882571535fb918d9320dadb8688a5419a |
C:\GalaxG7\dobdevsys.exe
| MD5 | 1319afbc6d704713700a9afdb91a7209 |
| SHA1 | d6d3070cb44abb28890c2e06ce09bb5b8de76a43 |
| SHA256 | f1d339304d73c49ef5f8dafd15faaf5c716ef9ecad8b7740ff519520b9ee9d06 |
| SHA512 | 99fde0db8e88c145d071ff4919e04ac6302d8d11318dd20a71629546d38ee404427fef139eb1c2538f6e7e0a0ae7a00dcab74da81d3fb66bfa831ef4571fdb1c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 802b374f8b51fa5dc5e712a631871546 |
| SHA1 | d90a5e86a88a9707c76a3beccc7b8c1b6fcad3c3 |
| SHA256 | 70bd2bfe42ee1ffe6f9dd6901912de91f31ca5bc3c2b5a0237502fdf3b269ced |
| SHA512 | 634b6286d68b412fab849ea190a46a29e491d8e373020832cd2d9e141137c48b2db18031184ad4d893aa17b52fe00ec6ef434c505e4f6ca441a2751bd11a45ef |
C:\GalaxG7\dobdevsys.exe
| MD5 | a14ebd5bf384ecb808d20a3b4c185a40 |
| SHA1 | 5a25a13d96591d03449cb8fd1dc4dad1ccebdbb7 |
| SHA256 | 70368420499ee73102c358b1c5f4cf8391382070c38ef0a9a2692f548588e146 |
| SHA512 | 1d84f6672ff7f9582808cf93a16cad015add7072e14aaaad7a03a85dad9cb785498d3cf516e32808b63ee12287449d41c05b9a23d28537a4adc0b6ece18dc442 |