Analysis Overview
SHA256
9cea047ecffe656ce6e5a36bdfc4ebbe708950228a9b86dc1be0563d364f30f6
Threat Level: Shows suspicious behavior
The file 5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:58
Reported
2024-06-13 03:00
Platform
win7-20240419-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvF2\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvF2\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEC\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3020 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | C:\SysDrvF2\devbodec.exe |
| PID 3020 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | C:\SysDrvF2\devbodec.exe |
| PID 3020 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | C:\SysDrvF2\devbodec.exe |
| PID 3020 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | C:\SysDrvF2\devbodec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe"
C:\SysDrvF2\devbodec.exe
C:\SysDrvF2\devbodec.exe
Network
Files
\SysDrvF2\devbodec.exe
| MD5 | cd00b9c8565d832127f1593df7f10112 |
| SHA1 | c8db7116a2284208c51ff57270aeb6eacc3ce9b8 |
| SHA256 | 6b8bd4bfc104a989902c7858a2236edad44b053a18d0171c01b533029e657a2d |
| SHA512 | f6a3efdd7007a80a689bbf6ca25d4d87e0c7683bc43886606cf314db24224fbf153398cbe4526da567337915b15e674d5fe8997972d6858af7469bd9f3eadd5e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4ee7d9e7ce09678f8eb6a1f2892c569b |
| SHA1 | f1b367ba25fea0c61231002083824f624b0c49dd |
| SHA256 | 1a9fa52466c1c73a7049c259035e49ff0b81024bfa6a9dc79847505ccf3f7060 |
| SHA512 | 33a13b82b94b18085652f6934095feec90ffd46b1a6cbe6c2fc9e9cb24aa4fff4df81f46b82696c39137ee48a57225c8d53dbd682bb29f89165913d821551d36 |
C:\KaVBEC\bodaloc.exe
| MD5 | 8562bafccc93bc17464e701595599f50 |
| SHA1 | 964de02172dbca16c047d21fd17dd07d15c06b93 |
| SHA256 | 375205af13cc087df53b56218337330b7dbf2837712849355f1c3ae9855fcbd9 |
| SHA512 | 908c95e5bfd68821270ab25353e0ff03c89ee6211ace8720bbad6a6fbf8dd577a295897727c469cff3f8298e1785b4520c3c84ba5ed47b1eb179539717daaaa2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:58
Reported
2024-06-13 03:01
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
94s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvOY\devoptiloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOY\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGD\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 700 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | C:\SysDrvOY\devoptiloc.exe |
| PID 700 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | C:\SysDrvOY\devoptiloc.exe |
| PID 700 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe | C:\SysDrvOY\devoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5922593b7c066832733de77c1e113e10_NeikiAnalytics.exe"
C:\SysDrvOY\devoptiloc.exe
C:\SysDrvOY\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\SysDrvOY\devoptiloc.exe
| MD5 | afd03e6294fd46adeaddd7e529eac8ed |
| SHA1 | 60a321cfa8fae4821a12225a515f49b7c5bf0199 |
| SHA256 | 30cef1b66e63ea524beeb9d4a6c78f93d1eb34c10f81c5979590b5c695f1ed32 |
| SHA512 | 2f57fb7e402b4b02f05dfbf3cf97730031cad0104dc6a3695dfb6bc259ca6e515fa1bb830b806c0f131079c4b30b8e961324ab279897b6fb655b2370857f304c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b8d9a40e0bd1f624b4f22521170095ba |
| SHA1 | 65789bf4e16618a5b59c4c8317eb63f2ad796757 |
| SHA256 | d6d685f3d6afdfe135b692440031b2eceb8ad9e373f0300b0690cdb000b85cdb |
| SHA512 | a5c6aaf80b886d8e84d6553679951351ddf8fe59ca4f32cd60a27bd9e192e611bb8a16cb6a53a05a4aafd1a927fd161bcac045723f7a36c22e91b9016931d896 |
C:\GalaxGD\dobaloc.exe
| MD5 | ed5de57abf08977d4886831d24687bdd |
| SHA1 | 94332cf44091599c52ec3565975bcf3f2589e9eb |
| SHA256 | d4ac81a8d108f1733cc3a5cad130e9b5cbee5e4af3af300b26e0ed8ccc0cb978 |
| SHA512 | df1e750cda2ff8280ebe090bded55d093db15fecbb11970cb404e7c3394a1bffc4981ee07cd1e9f76ff5a25b5fd78342f268b864c618175016b262e6a67427bd |