Analysis Overview
SHA256
9be5b7b524ff18cf38173c94293f03877f927eef6a0667eb73694d041a32bcf6
Threat Level: Shows suspicious behavior
The file 5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:28
Reported
2024-06-13 04:30
Platform
win7-20231129-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\Files7F\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7F\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWP\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\Files7F\aoptiloc.exe
C:\Files7F\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | b5e100cf2a6b6381aeea3ac9fb8fd7cd |
| SHA1 | 6024cdc56ba5c73999c7637a32717a26c2957a7f |
| SHA256 | 1a66d894f9d97c6ab25b66b247c8777cbd240fa8c42b202ba412715cf900452b |
| SHA512 | 8246c92ef0dd117c6d40cc0bafbc8fa9be784d783928f6e7e4f48c666ea95310d0b615db28e6040706a40fae0abed087c7a3786c6a4db6ce0a169e26761342ff |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1137aff61d3e35640787d47fc3dd3f45 |
| SHA1 | fce1559eda37f49d9c4d399cd2dd030826864545 |
| SHA256 | e92c3998425357c2a5ae3434350c36aeb3f27307657c4fadc13b2f935e58ee8b |
| SHA512 | a35b9bfc15f6e7794b29c84f1a78f6bb1b18ea1114b577302c322a091e16e61fecf0ebfd6310872ad31bc501e492ddd1a051b0f1fbe59d0a44da162ebb380f79 |
C:\Files7F\aoptiloc.exe
| MD5 | 6fc8cd47a3e8a1699d03dd51e7fdd4c2 |
| SHA1 | 93630aba3d698c8637cb97a88de449622fa0c39f |
| SHA256 | bed36c75f455fb5c4c5aad376bd76b97574cd50a0b03d78e720d4c40bf15d934 |
| SHA512 | ee812162a26984ebf745ba91a6710eb3b7bb51d0789e9c0eae44eeda1923ec1de561ed61d3888f1ad4b598c4a22cbf0fa1593fdd5d6aace742a007d0570dbdc7 |
C:\LabZWP\dobdevloc.exe
| MD5 | 5c7cf27bc3b44e30685de7b71ab52397 |
| SHA1 | 9a83be6d15eb6ae10f7660f8e5265fe4e7acf694 |
| SHA256 | 7484a101190b1fceecfb9239970553749da2e768ff3343b866a84c5f36268268 |
| SHA512 | 6139de0bc101b676a2573fff4683e4884179dab1b4f3fddfdc8efbb709df0174e3fc6f7c757094a530d2cbbccda5b9003dea15a1e2a6d43c578b3a93ef326c51 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6f886862188a350a00ad2f6efba62573 |
| SHA1 | d453b1736e323936c824193eaf91e13626f0e2ee |
| SHA256 | b470a8a86d27ed907240eee705f04686bf504a5fa2ad03557d205ee9616317ff |
| SHA512 | fbc29f9e42d3084e2e7a3fcb27e72307c6fa66daa1e1d96832d799eaee616304fcbefeafe0f04568c908e96a4c6f4be2f7bb213854c29f14ae0cbe095fb8533b |
C:\LabZWP\dobdevloc.exe
| MD5 | b3b7c323c5b11df7d0f41b45264f01ac |
| SHA1 | 4a24cabead58e8527c3a2a67b74d4a0662119e4c |
| SHA256 | f07205beaa14d527d3941ea8cda840637e5e61b99f80f286745b18e13b9ca1ff |
| SHA512 | 301e2ba6ff2d1f3366a06a9dd8aecfccda334b46ca2062fe8ac1fe0b4aa163d70e2d02a0c0e7b0aef27f4193c638d2ac7141a04361f41e239344ada50842b9b4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:28
Reported
2024-06-13 04:31
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDot1M\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1M\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMV\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e7e5d3c8a80fe057652c13e56c93a50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDot1M\adobsys.exe
C:\UserDot1M\adobsys.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | e80dfb765c0ad6f0385f8c27f88fb3fd |
| SHA1 | bb99f9fefcfbe3cf1a36d5e9931061379b6e8614 |
| SHA256 | 9f03400ec7170e86437d8d0794c621a48821dfb80f82d9feb7dfe7117882a3b2 |
| SHA512 | b3eabd3433844d3bc1ff3e16333b46309895360faff3679e035efd0d9cffa137d98e7ee732d910df07528a902c131c5af387071a68a793330ff0978a367cf1f5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c7d4d41514c77691db22bc611aa8e863 |
| SHA1 | cbbb53f1b51a85b2b37770db2b611d7934af4ba1 |
| SHA256 | bf757f6977bf5529397bee3b0fa3dba04ceb1ae318f7dd5540c8908af2a50946 |
| SHA512 | 0c164424d15401bc360a6ef6e906bd310bd64c424bf268961187e76ee2bc435282fea2edad2064afab2ffb27168da4c510694b025eec7afd23e7460fc67dd4c5 |
C:\UserDot1M\adobsys.exe
| MD5 | fa61a177e805a66b3ad79bafe5a32972 |
| SHA1 | 0b4cfb481372267a29dbbbdd660f5f3476b9fe01 |
| SHA256 | 672e6867fe2287b9c123a1ff02a90b719e60a13779588f1202241bbd021180fa |
| SHA512 | 0fd2b891368e67198ab800d6ed6cdcd5510ab9b6dccb2c5aa1087c7cad621225f5bcbb0a543b17d59f46e64356cd836e51bce809494059389d324c5c02372e16 |
C:\VidMV\dobasys.exe
| MD5 | 53197a8d3490b8c21235caedd971b3c0 |
| SHA1 | 817a8ed047707adf5f8ff923d509f08858be1f64 |
| SHA256 | 810c33748adff45f4669f637afbbc08a466a9ba1fcbb37ebb3c1e204013bf25c |
| SHA512 | d5a6e790bcbf8471bbd9af0afb05f858b2fed5567f006977149ba3bd7dd2f923a78acbbed64cbb3906548551e74f7bb9fb7ef83d333a1c9520738fde151619aa |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a1d7d4bbacedcd6bdf7497ade07136e6 |
| SHA1 | 13dc0b6042cc1dea189c3def474e0c225cdab8fb |
| SHA256 | 1db3b6d05d1c486a3eec5842b1afb629cc45f734c935aaaffbf1bd2730c67099 |
| SHA512 | b6f967cf24a3beb39481c61d15c53870a7ace853cb4553151d2fd431c5ffe02a27950aeab282d75479a50dca61633e0ee67c5e13e3e53f3c2c6df906d68052cd |
C:\VidMV\dobasys.exe
| MD5 | 2911d6dd5d038ecb8f9725f612ffc037 |
| SHA1 | 1b1fea74266386bd0e39aa57f50e659e7e8b8d5f |
| SHA256 | a1483f07918722b581218fd86efc4bca02558b2b7dd2b5ff36bfb8123cbf5e43 |
| SHA512 | 3bb3a3777720714faa19a69c05ca021ae867b883624a508f2bf8618b50f23fab24e2f6d28d63ce231215cafd924af9f9cc88ccfdcb86b2ad63c2727077d28d94 |