Analysis Overview
SHA256
667db1eb6450d21259bf5001b9c9c39a7bbc26f7be98f216b0bd0e1849ba2961
Threat Level: Shows suspicious behavior
The file 566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:17
Reported
2024-06-13 02:19
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotOH\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotOH\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPL\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotOH\devbodec.exe
C:\UserDotOH\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | d7bd678d0b3ef8ea67f51538b2ab67a7 |
| SHA1 | 7a1dbe7720b015655804a792dfb80e067d44039f |
| SHA256 | fe62dc771ef6a390f237d84e95e2e8a855136f390cd3958fd62364a5df5cbdd7 |
| SHA512 | 9bb9056b50b2f592efbb66dd43b937f509f4ac4d1924987c974aa76a4fa483cbb77094f861bc6cccacb3e2ec893e4bd6806524f745b2aa79fe8b7bd5e37c3daa |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d0b065c2d305459571c502a995ea97e |
| SHA1 | a1bfc3d89604faad5c43fec3f8b29197e80f37f3 |
| SHA256 | 0ca210e59569447bad1be1462156bc880a3e39b4aa103d9b080ef1ce9cbfbf1b |
| SHA512 | 0c2e7279130d46c29a9271c0810b79ddf8859bdc97086bf30ddecb49d282f1d82efaa7f7ecf38197d6a02a6257547abd08bc2353fad9f9a13edc5cd6fe351584 |
C:\UserDotOH\devbodec.exe
| MD5 | 6ab0d3602273dee0f9edf01c8caceb9f |
| SHA1 | 4da93916f1e0e5c81ea66b101f78301c91737987 |
| SHA256 | c791bd6c2fc5179a693e01e77e7123d4c3356a04d08fe8c2c674d77a92b2473d |
| SHA512 | 7c33dafcced76dff3c4b5fb269fb27a213172f94bfdc1f390935f0659610fb9c3d7bc561e41f07cb9ace3b28b34c16be3a87fa5abed08c111d5e2c38cac60b94 |
C:\UserDotOH\devbodec.exe
| MD5 | ee84e5936ae9f4d23869ef7c1a177c6c |
| SHA1 | 5513c7cf847321f833eb08033f7dd42e3115a2cf |
| SHA256 | 67f0d29ef7c2ea4c1208df1f822f797815480269a00eac8286b999d506bad028 |
| SHA512 | cf6e2ddd0735dda9c784c9251b7462bb485db869b8a68fc2b5beb162a188d081c74d035fd23ad904526fd12477d532c53334b6769503d4f0f49b6fbe71354f2c |
C:\LabZPL\optialoc.exe
| MD5 | 9ff0237f8015efddb893d633dfbac943 |
| SHA1 | 6d1a76b844335462eeeb74a0a46145fe0426817c |
| SHA256 | 7e5085105edd7338fec6dad8d2ae5f7bf0904f0db860ab3b70c65a31b193e9ec |
| SHA512 | 7442ad2b7650dd7f37b7c332cfcea28e474c2ba8a226cbf20c5498845346013ba0febb0f524d8ce8ebec5bfacdd1a9d7c8aeea877cda0a13677ccbc2abdd4279 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | aa7935da849aa9371265eefc59b0c560 |
| SHA1 | c28d0b26a5438a3224f180cb149bccb2452ec016 |
| SHA256 | 5e82ad686e91dec73387c742c2ca62cf8e56c1270d066d66213cbe14eeb7d27e |
| SHA512 | 417eab2e78412263af8d69e4722e15e45c78b045a1552987be6720fd30a8fe2c954a115a422b61eb8b1cb1778d8f8e87b7ea2d2a0ac4454211a25859f09c194d |
C:\LabZPL\optialoc.exe
| MD5 | baebd565738a73b1785d23f85b9b1880 |
| SHA1 | 3e776227196d9cbee3a9edf120876f20e6af105e |
| SHA256 | d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7 |
| SHA512 | 3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:17
Reported
2024-06-13 02:20
Platform
win7-20240611-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\SysDrvRH\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRH\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMR\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\566c9462e0158256ea4ad3eb83fdda80_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\SysDrvRH\devbodsys.exe
C:\SysDrvRH\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | e72d40b303902de3a9ea1fb24a793ab2 |
| SHA1 | ce1de8a6a5c9a48dc2e7c7af4b00c287f95c2577 |
| SHA256 | 3f611ddbd0f7dcf70c0169570928d8c480cbf2b12e6febb42ee21fe212a7a13f |
| SHA512 | 4ad26b85d8ae7c0ac94ecd192ad48b6fda8c61ab166abba9e31855a313c9cc3221d60bc57ea74c54696c18f6304d9241de6ff7b72383ec691dd01b579926bc66 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8000f4b0d3f118e7633d1eebc80360f4 |
| SHA1 | 46f84e5baee7cbb88976cbdce1308fb57b832f7c |
| SHA256 | 5b425b96dbc0c03a2baafb264241e5470641d8c7cfb5c5eecc4a82e3b208fa01 |
| SHA512 | f531b262909bfdddcb04a87c09b99b9cdc00245bc68389e331390372ae5811a1bfdc4f41aef76db46e8d1af5ed9e3e905ee02cf8d0628a146ffc3eaaa5800444 |
C:\SysDrvRH\devbodsys.exe
| MD5 | 3c7fa1ed4bef9a6275970d988675babe |
| SHA1 | 944d3099379084223b21d6c0b17e11a7f3b9751c |
| SHA256 | 634d2464c4f13664e34391d491bb5e1d30d31abfc04ab23b28e2f6fc34703431 |
| SHA512 | 8e7355f66a8534e8694bfc9d6d08a726eaae25c6a1394e7b53cf4ec761cfa455409bba4a76a58fb012298d612d855acc788a0f2be5b39637a054ecf761f2fac0 |
C:\VidMR\dobasys.exe
| MD5 | d9b2d20c8a5504e91300a926b73a4a4f |
| SHA1 | 7097b08ba41c864b8f4c5b772631b5573253094e |
| SHA256 | a6f1b722a0ca84632c1bd3354951c643cabf10c723f3c72c8afdce332c68d715 |
| SHA512 | 02acf2fc8b944ac66bf9f7ddfb7c5d0104ce9f89a20f2af26b619a7eb6a7f13df4f836e8a75ac305189a045d506806d94af565fb9effb377f38ad82a67979691 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3da0bc2887e151d0d238b93fd14e7431 |
| SHA1 | df4b25a5f15d36b4eb991919250165b213ceee30 |
| SHA256 | 288f979c0e59acd1f8d60d87ab3671910ba0b5de3d9ddea6445483a79b830067 |
| SHA512 | bcab24d48cc865b93e904eaf704602ff679292e8cf095053510b89f2e57af36b9076d8ab39938e1af611c8c837b303cca848da1bbb2dc553e2875f79326f968b |