Analysis Overview
SHA256
39825b96cabf19ac29ee9dc3ad9d49c9daed4e176e2eeff742aafab63e619c4b
Threat Level: Shows suspicious behavior
The file 5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 03:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 03:46
Reported
2024-06-13 03:49
Platform
win7-20240611-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\IntelprocZK\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZK\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOK\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\IntelprocZK\devoptiec.exe
C:\IntelprocZK\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | aaee34b1aa08e4048c6f1c40eff55dd5 |
| SHA1 | 74b4cdd869abaf7578bb6f5b4a54a224cc3ed973 |
| SHA256 | 3c4b06f3247708f7a43a477e9db142a0fe34879747d746dc32cab30b7a3dfc97 |
| SHA512 | 13b815e640f52518175e8ab8cbfc147d04eaebc432116d4d6c894521465881583dfda556438eaccf1f1cb368faf8e6e4ec744d4f57bb7990fe78cf95653038df |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f7ce3250933ed073d68c5e2a19e28b9b |
| SHA1 | 26e3515bb4ceeda73add95e32c9205d871321810 |
| SHA256 | f2a2b1a05acc7cd3644d6f13eb6fe821c809de144117cfd72043564c4b2b8da8 |
| SHA512 | 1f5802a19932087d870a964d84b982113fb42c5101cbbe0568f6f3dafe7e3d88db93fd11d8e0c1e72d2042f3eaa1fe6fa56e74e986919b0607f155abdc317bfd |
C:\IntelprocZK\devoptiec.exe
| MD5 | 8825de33be877a749bebf86b8cf46dc1 |
| SHA1 | d108fc9bdbd992a8a9c6576e23fb53191c0a616e |
| SHA256 | a7e67e0b665a0f8067042bcf876666adccb0ee050b1dfde7fcc417e19c312a24 |
| SHA512 | 61306cbf772dadb2be74adf4a23ee5715bbfb6742e5b3081c114bc3133aa4d5c6ac083cf117d9f4c5049786aa793ae1d6300dc2f0864d77632a4cc1401564264 |
C:\VidOK\dobxec.exe
| MD5 | 1846af9e8b55558541978d7c56478edb |
| SHA1 | 547f27f580ed217db608fc58faecb1dcb3b7543b |
| SHA256 | 7c6db1f5dd41aba0b5ee24e4372b0e3cf316d0b24b7ccdf6d15f3d773aa5b4dd |
| SHA512 | 863a883ee684a9eca2ce85aa2a2cdeae7c5dbaad9776f5795f2cdc6cba19fbd24e571c2981520079bd260f48dcffc8b1f42a9d9f65c2582894b1d60f6e94df9b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 67670630dcda00e77b5681e3d5165c01 |
| SHA1 | f38df4a2cc4d266361b2f84b66700551a2c83a18 |
| SHA256 | 74a5c51b6ca7db87d7301a3a1dc0d010ade38149d9303a714828019e41cf6ee7 |
| SHA512 | ccb49988c7b8cf9503ff0eae107b9c5c47245e66c81de6f6029129a918be76d4dd9e63af694434da7fc922834182485af19d70d0ca29c40fbf72d8fb4c430f16 |
C:\VidOK\dobxec.exe
| MD5 | 437ec0232edc86e6534546391a85e206 |
| SHA1 | dfa0b9325f08ab87efa8318e1a6f123918462b3b |
| SHA256 | 7d1599ca2f7b0630e1f0532ccf39cb18ec2eb240997ad8dd4c4cece57cf7bc37 |
| SHA512 | 5d34598d348b079c41f14511a6be71331707917c346fe3cb1ae8e9bf4735b28eb8eb6265965e66f9d8474d15075221cb889b3104562cd7ff6098a33793c00371 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 03:46
Reported
2024-06-13 03:48
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
51s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\UserDotQD\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBT\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQD\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5bda9bcf5c906737b67fc3e01fc374e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\UserDotQD\xdobloc.exe
C:\UserDotQD\xdobloc.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 8524b433c3d924996e208d60a7a84dc4 |
| SHA1 | 6e77aca12860ef07cba8ac5a0396c513683c6939 |
| SHA256 | 423d056b2f307b6789b766baf1ebf389f06f17662bc5dbe002666ebce075c2d5 |
| SHA512 | 7583eb9b3c78f052663397d89398d95d585513e828dbbd487d87eece6234f7527b4096c93f37bc9719c0e1fab286ccfe18f3c5c531bc5e3a0e1d6574a53de3b3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7bc27bb3e75135ef34d0e53a96993240 |
| SHA1 | 7ba831b3efdfb245b8c86fa7c4a11e3df2c2e5ae |
| SHA256 | 8b42d2e205731929ea420139054a6dc5463142814549b10c6a31dc881180a38c |
| SHA512 | 51b761c0b48b6544d5fc024e12169b20fce8f96cf3005373aa1b1fe47b536a955bef5a65dd757e0d8f611a8db903d0763bb421ed8e7aaef94c475a0d10aa320d |
C:\UserDotQD\xdobloc.exe
| MD5 | 882e61708d0e4b16694253fcbb11b251 |
| SHA1 | 50cddcbad38da028d3a85bf28ff536fd453a5d58 |
| SHA256 | e13c30a75d130a988ee6c85fb581a87e681b12e5a147d960e45bfb10a9b11e6e |
| SHA512 | e12d418a8a1ac85fbdc6c2d7967bc14cbdf8fa6e39941ff82956c3c810df6448952fce58e19deef25ab4eebfcdd7aed13749a583df558dfbd3c3f790589b3b04 |
C:\GalaxBT\dobdevsys.exe
| MD5 | 5eb070252d8ef00ee121ccaa611737f4 |
| SHA1 | d7d4864e83efa11bbec8ad37bf70c718498e141a |
| SHA256 | 5a77f0e9c286e823978b21c993cd8847184d678c3b3c5b545f74792a2dc16ffe |
| SHA512 | 2c79f4747983bf4dc5ba6206206ab0a039448feb7ed1d21e2cbd99a173797785a11ef3e39896b481d551fa37ed981290c7656380b62d7f757c036bcf2a7fdf70 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c8c5f675830a736cbf83d86c7dec7d3d |
| SHA1 | 81e6065b1925c85d3e8c8e18602badf7f5e79eae |
| SHA256 | 4332fcf22769184e45a00b72b72e246feed1f94b6f3c8fe58cb00fcced667c28 |
| SHA512 | d35943714b2919dfe43bd7fa9ce4d134037db9a2b5f3ec463f769b80b691caf3fb77e33d391109b7368414aa4d722bea52e122ec7e964eea5572d571a740fc9c |
C:\GalaxBT\dobdevsys.exe
| MD5 | 7e94b7c02dac91553204eca8fa82452d |
| SHA1 | 6488fbec063c70d076db8a5b8d8a15225561eb0a |
| SHA256 | 8792be509e525f9fb04233917c7a16872f42933fe29a0783af016ec361048f82 |
| SHA512 | fddd463b251b9b388f4acaa9945d8da6e136c71b8a64e05d848cab24d1c615087f59b9227d22b4d4aa843b31b4c94f418822236eb377bb103b92553bf240dc9f |