Analysis Overview
SHA256
bed0368aad6f2dd8cc6c15bfe538b4c87997c79ff4873d47b2a6f2f292cff3ec
Threat Level: Shows suspicious behavior
The file 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:24
Reported
2024-06-13 04:26
Platform
win7-20240221-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\UserDotK9\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotK9\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2B\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\UserDotK9\xbodec.exe
C:\UserDotK9\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 3185709dc78f047c88e0d6cc7916eb46 |
| SHA1 | 3b7b8e98a3a55f8432951e5caccce5ccb75e9d16 |
| SHA256 | ae23b91f627cbc61ca37b6c0e9ebef1552e834dd617c7f0361818f8040c55e5a |
| SHA512 | 944e4a1e926283fa8c1d633320734eca2805d969151cd49d1f1606bebfe910b26369099b2472c0d86845875c1e112607912f2b74fcd9cdc8eca436a357cf13d1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 65afa83001750f48b3c1bf02241129eb |
| SHA1 | ce386ad973ebd75388015558323e727f0dd6ebd4 |
| SHA256 | d1c45d8afc2b87b17040e2f715d772d29a1898048d4784916123111a8eb0ece2 |
| SHA512 | c3f2b1c54ae38919de91a6df9483de4ad117fcffe81754a5ac407506bbb0d9cf4d9fef0a672d5000c0a94d9444e436de2b860ccaecb6ceb5c4d19fc888d24f87 |
C:\UserDotK9\xbodec.exe
| MD5 | 1dc38781176be25e3600c2ded876f946 |
| SHA1 | 3301054c4f6ccb51a665c95923843147d4b8e0da |
| SHA256 | 507947cde9fe9100bc6973b1cd88a51966a55c85564cb795a4b5679c51754741 |
| SHA512 | 60f14fae2b0b05856cb44436c2e6b9fa567efe08e13e3db85e15925e3313c4a51202f7adbbade58a9e7bb766072cc10ad6a063cc7978b4204104d140281ac016 |
C:\Vid2B\bodaloc.exe
| MD5 | 6e39c2b845e876b0ed80dd21033084e1 |
| SHA1 | 1f5ef2476f191f31f4031475a68b15e2167cce15 |
| SHA256 | 8947e739c341a7af6c31010f252ff99ffb11e7c10850078bee19d9e284e15eed |
| SHA512 | 5a575ea5210b981734b4f92037e44e28ecd2e1598d5f0c61fc074f4f761adf1ad7d35f1a74cbda099b4067c46d8d4a3bc271382defc8c3dffbea242d87b30170 |
\UserDotK9\xbodec.exe
| MD5 | e81304f18b262cfb5883a916eff7aa01 |
| SHA1 | 32d2ae042d6b105d208c0fd1dc797aef8fa36085 |
| SHA256 | 640c9d0906d02b843944875941cbab6f30204f1f4bd7a7a42f89100218ed086e |
| SHA512 | 622864b1099785eb3a0885c8a7faf9fbb5b02966534cb78a8e8093a668aac56d6356f5d2b8f1807c8a1a8464d13d6c5a4c4937f0e97ff7ecf533012fc986a07c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b875f1ababf6c10a134628e46fb02260 |
| SHA1 | e0196465319bcfd2848099bc262ddccab5119221 |
| SHA256 | fb564aa85216bbf7b83e2e00c24151817c8ec269ea17bc82d6c2f1f00e094373 |
| SHA512 | 8c1ff915814580294436697a92effaf00ea5ea555b5a52e1bbbd3011d2c896779095ff12781fe3a51e4316e664b0edfadd48cfd38a954cd7ebb61f4087efc011 |
C:\Vid2B\bodaloc.exe
| MD5 | ebef48138c153b4db5866b3d2cea6e9d |
| SHA1 | c39d69a4435f466ab30c2dc1b58828be325a9860 |
| SHA256 | 166834794c8228d52e678eae929251e41fb679be515442dd507d4cfb3462e743 |
| SHA512 | 9af7b1a6f9d04d70b02c5b4e98514df1466e14b6b7439deff79b85a5b44f7740d05713e30a5e47d9cf04af572e480fc056cccb29da963aa673d685c59e7b0b48 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:24
Reported
2024-06-13 04:26
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocFU\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFU\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ36\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocFU\devoptiec.exe
C:\IntelprocFU\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 88c42fbd28eed6898c86e0a12489155d |
| SHA1 | 13569bd81d69f3a43c31bbd8fc2ab050984dce4f |
| SHA256 | 1eaba797348d4b58df309de541a06cd2a7396ef95a0d32961976f469936b3c04 |
| SHA512 | 52e53bcecefdb7dd8d84528598c2174d18e0bf9dfb9218b42d52d801d761c4ce1c4cbec682955e96c039ae457cee8b497025e0fff45d6e301331c10fbd4b5713 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e90df232ec7d919d78029857aca3d7db |
| SHA1 | 7b9b5d60c8e33ed2cd164ddc4d358c6c2f0d8dc4 |
| SHA256 | 23410bcbb8999043cf573d56f9c415ea408cc347835db57c45db417d7e9d4ad9 |
| SHA512 | f253f2bd85c49504700e81e0a08f015e4529dcfe8c8c32fe36b0141e87d8b3b281ef1b4f2b3a8f70150d7b1d8307e0fae0e1a3ca59913f409da9750611786599 |
C:\IntelprocFU\devoptiec.exe
| MD5 | c4f83f89913d922645c736eca3a7d7c0 |
| SHA1 | e7abf0d004e66cd4e9bd82cad6027f5257f0dccf |
| SHA256 | 71d500d6c794da9230f8dde91cd41d6de5af59fea5eb4b1140e89914afa08bde |
| SHA512 | 1b93dac85ca2e7713977cca57705fdfeeb470dc1d9b72eb4858a2f5d30ff0c64b234425491f7576f3afb4627d41391f5237bbe75e3a8d9c9913f8014e505d595 |
C:\IntelprocFU\devoptiec.exe
| MD5 | 36dc548713e327e5d194c946b1dd8b4f |
| SHA1 | 667a693c695074b8e496b9c1b4ceac8fb16b96e4 |
| SHA256 | 926cba8c61e26c002f29a068df048b89bd76366e879c7a10dfaed734d17932f8 |
| SHA512 | e007655f7fe1ef74e390f3e8c61488b837c467de24c5bd2b452c0ae83eab70f5c1fb54c730f14e4a3746f931ebc37852d4d5c50bc722540fb75b5e9b790a398c |
C:\LabZ36\dobdevec.exe
| MD5 | b42aceeb7d6026522214786e59f568eb |
| SHA1 | 119a53f62efdbe60109ec165bdc5cbaa4e1f10fd |
| SHA256 | 82c2b77061151e3f5388562591a5f1b5f429adfbb897ebe184f36ef36de58549 |
| SHA512 | 94949c4a45c20eaea2c173b6adc340fdc31bedcec3dc915f90eb31ea2bb850f1345592ba93330bb023829cc0a1fc5738070b12b9b62c94b70395b05537d7ed79 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 75e17df605a4bc141e54df12e60868b2 |
| SHA1 | 232fa44e3890b2f0df87f200ae265ce725cd46dd |
| SHA256 | 6443b15bf2d29e46fb5a6c52849617558e90d67ba048b6232d7927caa2dabbd3 |
| SHA512 | 74189d2fd1e3737c1bf396efc28a86cef76faab9ad675fe97820e122f062a3742e7863113efb684c3ab690e02ccb40b6c2dffade4c28c95753e3f6ae8c961ac0 |
C:\LabZ36\dobdevec.exe
| MD5 | f23ada096c7adffd47957ad97468d399 |
| SHA1 | c50b77a9a9105b8ffe2684eb9748c4aabb789354 |
| SHA256 | 0122af29b48c157ddfeb2daf79d543072119c7368fa0a811c2d35340416fa3f3 |
| SHA512 | bfa83b3b79ea4baefa4e67423807594b627d0bba13b99ebd51a22408dc1d264b4c20b7bed9acb7ac1acac32e5d16b2403195e7422a4222128a7605485ad410a0 |