Analysis Overview
SHA256
dca3e14dc36c52543ba8ec0688af601be49cca0b2abb950c42f0d4ab9441c737
Threat Level: Shows suspicious behavior
The file 58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:56
Reported
2024-06-13 02:58
Platform
win7-20240221-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Adobe7M\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9U\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7M\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WClocxdob.exe | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | N/A |
| File created | C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WClocxdob.exe | C:\Adobe7M\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1712 wrote to memory of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | C:\Adobe7M\devdobloc.exe |
| PID 1712 wrote to memory of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | C:\Adobe7M\devdobloc.exe |
| PID 1712 wrote to memory of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | C:\Adobe7M\devdobloc.exe |
| PID 1712 wrote to memory of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | C:\Adobe7M\devdobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe"
C:\Adobe7M\devdobloc.exe
C:\Adobe7M\devdobloc.exe
Network
Files
\Adobe7M\devdobloc.exe
| MD5 | c9f1bdc0ef47e8cc63108a9c647078f6 |
| SHA1 | b4e81d021d925ed450d66639b2c1d0644588dde4 |
| SHA256 | d6199bcc85c7b66f65917a61b7e9f254d36c7767c3ed55162484ea2cd6c5bbaa |
| SHA512 | c4a679fe84ffb20313111cf03ce7f530ad32149a4cfc7af66eb2b84d33ead137e4d38f89d7ddf5f559773ac89d4c2818d08ffc0ae312f9c42b6f17430b6788e8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e4040ed3dd04eb7906ffa45ba4c5b1cc |
| SHA1 | 00e2bae589a1c497779fed483b6e3f9d1fb9d595 |
| SHA256 | 29d90ae9a1ae8c7cd74a94cd4cdd9921723f1d50ced62c9c3a2dd19d5166389f |
| SHA512 | 7d07c4b1f0df9a744edb1bd8c0126904f92e03cce73b7f85ea4af2fd842d5ae27e09c02bdcd95c76579a6d68e246c6fb241e7739bd547b9e446b4aeb3b82b84b |
C:\Vid9U\boddevsys.exe
| MD5 | dd318b0ec4795dfaf705f5d8537357e9 |
| SHA1 | f800ec69e32c0ccd7f8c0157357efed34a83df00 |
| SHA256 | 7ae6c9a95e6f217c6ddc148a1394cc108f669db413fa1699e7e0a747d83cbb87 |
| SHA512 | 18b37c1c8fbd6181d2d52662ce273985273bffbab8df9a0960449c4e44d9d21c4b848d7c7277f13945eb2f86ce85a8f1c3dc786a3ccf4b6fe69ba51815d2a28e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:56
Reported
2024-06-13 02:59
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
53s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesCE\devbodsys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCE\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBB\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WClocxopti.exe | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | N/A |
| File created | C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WClocxopti.exe | C:\FilesCE\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 540 wrote to memory of 4176 | N/A | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | C:\FilesCE\devbodsys.exe |
| PID 540 wrote to memory of 4176 | N/A | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | C:\FilesCE\devbodsys.exe |
| PID 540 wrote to memory of 4176 | N/A | C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe | C:\FilesCE\devbodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58f5f0ad4c8c4e2d8f1ebe9b836c31f0_NeikiAnalytics.exe"
C:\FilesCE\devbodsys.exe
C:\FilesCE\devbodsys.exe
Network
Files
C:\FilesCE\devbodsys.exe
| MD5 | bf1b4752c0caa7b0ae36866abe162517 |
| SHA1 | f95605fc7078834e8960ecfa22d55a32818925b4 |
| SHA256 | 7ce83591c51c75aeaa21e2a5c86cb032e7fa82224d8f0aaf6e278400b0bdfa29 |
| SHA512 | e9211752d094cf4f32c42d9b5e6fa6eab384cdf1471acd03a48814142a9d8e540e7d8fe522b9d4a18368bbcdd470dd1601c23463d2ede98f3275b2a1f048118e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 183d7635e54b2213748ab2315ce144f5 |
| SHA1 | b35bc9748d4aaa5a1929fccbbdd56b9fb8760db8 |
| SHA256 | af3ce4a55a12fcc091d49047f3c54bb694ff4bac84a624385d983fa438b8e286 |
| SHA512 | 0cb1d2dd3a30d22178e64bf7f0f56adcc3a862b1ac9c81f8ba5d438581ea68371834fab930217ad4d5b2578a00ee2dfd4ebb18aa57a17d04004d91c58afee189 |
C:\GalaxBB\bodasys.exe
| MD5 | afcc51ad6ff86eb8d811254662084d20 |
| SHA1 | ea9ff02c6905c5aca91201160ce0e236c23fe7c0 |
| SHA256 | 8860ed2feddfdf3ae97390c0a225235657a3295c63cff3dee3a0ea71ca08a9c3 |
| SHA512 | c07b1298fda9ad04bd8dda58f6e075a7a08450b10cf7d5d1bb00ed64ef982c3ca07a9771c672e18cb5ee18821893abc5d1c14b58222101f17546a9a0cadf31db |