Analysis Overview
SHA256
47d87a5c20ff018e0d0867a26a030e18241485c17c68de6dcbf83f54573f6514
Threat Level: Shows suspicious behavior
The file 573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:30
Reported
2024-06-13 02:33
Platform
win7-20240508-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvGD\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGD\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6H\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\SysDrvGD\adobloc.exe
C:\SysDrvGD\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 9541bdf6d7f4c1fa98aaa9682b92e18d |
| SHA1 | 6a4251c98956c685664cf19f0a462d75b9bcfad1 |
| SHA256 | 401aefa18d74f5816e6ad7d7e71363ba2c9cc369cea28e6f01a5c5aa111c7465 |
| SHA512 | 049cddb4165f214a172c23caca1a656e7f8ef0cb653440fdc01b03d0c40dba82e3df83f44b2c37d55e849cbc2685807fb82f696ddba421a0f3393cc4684a1a59 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e67a20773f54763c2abd62dfd1afbac5 |
| SHA1 | e8aa226f23976a38d29ca80d7cf41732b68d8051 |
| SHA256 | b515e0725c37dff5eb773be0ac3192614b5798d46a352a67f434fff4f11564b7 |
| SHA512 | a8a9cc8d34d2b5aff344d8292dd8b4b30947c2fb0d750dd6d701310f395ece2a270df25043b1adb9e6dfac36576908779e2a364430eb40f9bedec991946d3255 |
C:\SysDrvGD\adobloc.exe
| MD5 | 904d053a166e24cc87499158f29ce967 |
| SHA1 | 5c7c47879a0892216f5de109b2f40005b95ec101 |
| SHA256 | e716ea6aa0674ca7da2ebf6225aab2ad9d222c2564ad33761b2126198ac2e3d3 |
| SHA512 | a3edf1e2387e20b562f8384e0e64f47ba8e7775a83d018bf825eee2f5d0581979a1eb174a441e7fd51c151b88c1f30a803114a43af226c8da041cd62f5979955 |
C:\LabZ6H\bodaloc.exe
| MD5 | ff67a903162210e7452143443bee8a15 |
| SHA1 | db834310371069e7693b8524334877a5f24a742a |
| SHA256 | 91b07caf2c35e6ccca12b011d974a5c0d0d4c3a8fc6d755fac935dec2d242c8b |
| SHA512 | a0883062ecf9057983760cb904ce505fb6c4ee86780a635e6052bf816443c34abdfe01047da8ffb5b151d9d2bfe8986d765199314f34844bf4bef3cc25f5011b |
C:\LabZ6H\bodaloc.exe
| MD5 | 03493b390f229560e8cd75f8d39c5760 |
| SHA1 | 582fa835181e09e0d1860c5f3db30a7014a6ff26 |
| SHA256 | a377942144baea3af7d9c1b82722543ed4ca6aac94a2f4647e5acde338a6c1a3 |
| SHA512 | 788e9e215c2ba2bdf0a6b39a8f64afc1d881a6c9b2195fa18c7fb0eba3f27dc65418aab46bc4b7ef362ed88b090d96980b315a2de644e8b7ba0aafcb08613e60 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dda27ad32db4a85ccbe27ff6e3fb960e |
| SHA1 | 644175d64f7e41b6fbee0eac161263244247bb0f |
| SHA256 | 22327df47c7c578c798729697f9a92130698ecb529a8bee8d250ec056d20184a |
| SHA512 | 4b95424abafb8d8446a447c134c432963130b14d056c373a5ff4df8d949e24dca74e79aa496e063673665f5043f780f834e8b7e8a8f2859b03026ce53e1057c5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:30
Reported
2024-06-13 02:33
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
51s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocYR\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYR\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2E\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\573a80d4837352a49e8ebbcb86ff2520_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocYR\devbodsys.exe
C:\IntelprocYR\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 125fed3a6a727201ea344d6db37dd45e |
| SHA1 | 6be1ea56c48caad0e3a92b528b073a08e8f116aa |
| SHA256 | 16acfdaffde9250567eab5380fd757f63e94b9ff8117ff0aec71fc56e5c250a9 |
| SHA512 | 672282aa59b2fcf4236ef2fc0ac86a2ab65e6ce82b5efe21de189a22ff5c2b9770e438b78060d4cd9f2bf7a5038d982bdccc4ca0deb68ad76a0e5b2158338c79 |
C:\IntelprocYR\devbodsys.exe
| MD5 | 4a747617a0b3237ff25f991cc2ef4404 |
| SHA1 | ed68cb09e132d28a918426b5563180aab5a713df |
| SHA256 | 88ae64d07969e74371fd6093e781cd1e0c77c0046410abb9696c01223965bb36 |
| SHA512 | ee0ba7cf27659ab035750bd747ae07ef5a357edfd969caff01befc14227d1d40304dea3869cbefc005c3872c3bd6744a3d116316e282a275c6d247a7845eeeb1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 670be96e38aa44c5f1b2214f591946c1 |
| SHA1 | 0cb7658fa502a9fc5dabb2b010ef55185ba5225b |
| SHA256 | c14f57660479297d0b9d881a2589c47e03290d3a419b51442ea7a362a874e643 |
| SHA512 | 669085929f5a18abd59a8fcf1f80c2f5350c611a0e64ed2f69b1b349905eb456f01fc845b93018fe51e5aa103c000e9cf33348d23dcc6587f0dc975ec9c8245f |
C:\IntelprocYR\devbodsys.exe
| MD5 | a555806c8d8ff121482b2f4fb6faf286 |
| SHA1 | ce3b3763bd03f7b6de55bcdb37624c2556e3e55e |
| SHA256 | bd9a7f3b49e40fd1fbdb43408efb1d03aa8a691023b5caccf72b724b65d11c62 |
| SHA512 | c58625438af99745508e5cc6e034b696cb2a8f7b1bd8410412c8b0aa0c6e2a73e7cc5fa6468e9a712cea683ff0ec601cabaefbd45ed7f8a6e1299552e8a0ceed |
C:\KaVB2E\bodaloc.exe
| MD5 | 2e39c5f27905ec88126a702a49a23a56 |
| SHA1 | 59fe7aa7875e890e04479f730cebad46f4810b90 |
| SHA256 | 2002dc3cf135152219ad4b226dcd0306643c18609c8a18aabd20f0aab8cc0607 |
| SHA512 | 38fa799bf25d61ac47bb4ec2d4672afebd9e7ce6f501a14da1c38f314fa78e3f96309959f9bcd0381f51cf88995b6925243bedb7d40db78645e49f8f999fd8fc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 55d7f016b8a8c380316c57fb48b39a25 |
| SHA1 | 7497b8fec93a819f7d8eaff98b4336b36dc4de8e |
| SHA256 | c2d793f21645ebea150f8b2ff5048aac31d27f77099adc611c7c6ef674b50eb8 |
| SHA512 | c610506dd8b12138799339fb52d06810c4e63c43360ee87ad9b063a38d7e05511920064d185a086d079c7ff68118a38dc5b20c3ace52490c1b407d50873b15b5 |
C:\KaVB2E\bodaloc.exe
| MD5 | 374450f0848207b9a64e018245c90519 |
| SHA1 | 3250cf9bae5f6cb8bb4cb67b323fa4e8fde89ed2 |
| SHA256 | 2b4a4dbf3af4763060e12008a09763e196c7dd901da863c0f26a1cf16cd2c55b |
| SHA512 | d50b5cc3b4de95766addffb4f76c0e5ce0d529491d15cbf9f504b200b23069f54efe958750f2cbdbec24ee99c73f47543bb457a9f862e029bddade55f40bb814 |