Analysis Overview
SHA256
6535faddfcbc48e4c9dd5b3f46f87d99db166beff30029fc65056356fc3a861e
Threat Level: Shows suspicious behavior
The file 6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 05:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 05:32
Reported
2024-06-13 05:35
Platform
win7-20240419-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocCZ\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCZ\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXW\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocCZ\xdobloc.exe
C:\IntelprocCZ\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 5d74880526f72df2668e73d054e04c44 |
| SHA1 | a026a14400893b621d50bf95e890e8c78e5d0836 |
| SHA256 | 4bf2d516553df066c1a7187aa2c6b4cfcbab64cee3735ea8e189b4cbd0f10019 |
| SHA512 | b443f89a11a731c9972ee4f43cb7919e472a327915fe8bb89d4fac88f685522765ccf6160925187bc68f08947b2fa66ac0b694ea918cbaf004292cccbe2e7026 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d02ea01526212a6cc75d88584d25c7f6 |
| SHA1 | c86635952237fd0f4bf3301c4101760361f23449 |
| SHA256 | 03b2384a7046697755767b8b9fe688b1bd15d20aeed00a3908128cbcee1bb09e |
| SHA512 | dfe0c225d3ac7213375e39352a5ca5dcac65ff4cbfdd33851f3ea3bb9c6e6fcef561357a8a7f53fa51336c4d9d6c4a7b927adf45ac328d24752bac234dafb833 |
C:\IntelprocCZ\xdobloc.exe
| MD5 | 4aeaf0c476cb2235d7e18f3707e8cee7 |
| SHA1 | b318a5cb221031eecb8667e9845974b1fdbe4960 |
| SHA256 | 79faabf0b8ce11d354454aa7a4725dc7f80830a2f6b6147c3a7755089a2711a1 |
| SHA512 | 13d902eedb2e9a5cd0ef9b78abc9543ee1abbe51705561740964c1a149c2a8029fb77140f803fffc929086ca9e0266ac7346a57764eaa95c05ff3bd65e80cc2f |
C:\LabZXW\bodaloc.exe
| MD5 | 26a09658d9323463610278130c6b60e0 |
| SHA1 | 4fdf4f543784c28cd846f38cbc7332c437c55216 |
| SHA256 | b4ded1f01782347f359b122b49bb0c8744c38657fd0dff76929ca7b8581f0c1f |
| SHA512 | 4970ccf1d82f1444b55e79cbc27ee37d189b141a7280cec05b2bf7afdeeb1cc71bec8485cdfbe979118098c51f6b8c03d5b49cd97227f0f6d08b4f35b8f2733c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d00445955a24ed87e92bb0c62ff84e79 |
| SHA1 | 268f79e0c8f59f4292c83c4dad5ea33bab6f7fbd |
| SHA256 | f45d96e5bb539bc4e43b9b8fe0697a355d41a9be0b4771689109af7ac1320529 |
| SHA512 | 4a72df74505c4d869201c95bc1a4462cf28fa51e15aa018c591ab7c05238484fbfa016658e8efc5dc228b13f23b17cd8940fb5b741dc6f838ec35afad831b775 |
C:\LabZXW\bodaloc.exe
| MD5 | 2c368577e9554133d02c83bf54a3ba6e |
| SHA1 | 49b7a9ae2d4b99497643247e01905888709f9fd5 |
| SHA256 | a133dd9ff9d9f10e5866c760cdd82f93cc9b63bbc2f61deeca3dfc19530bb3bc |
| SHA512 | 6738917ab34d25b7951ccba929c783d529abd278da5610a245c6c13691fecc1ae024dff9e6702c16321ec7300ee950a2a7fa1088dce430274f937ce643d834a8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 05:32
Reported
2024-06-13 05:35
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\FilesXV\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXV\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBML\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6253d0cbca1c76cbfbfd859f4facdbc0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\FilesXV\abodec.exe
C:\FilesXV\abodec.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 8b286c43a47f133cf388deaa3e6b09c6 |
| SHA1 | 2bca0f2d31297698a82293b21b6aabe7fa2809f8 |
| SHA256 | cf51762f621a7881969fa88c73a559a5171d150b39a3b3dbbc8ae348c84a317e |
| SHA512 | a6427a6cbbacc0f286c42b6dd0311525437778094f0121bd93308d1ec59831aa99091f2aecccf97630343925d38ccbbcaad53bbe8803a9300f47c3e6b5fb3df1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d16042f7cbae4024d74a9feba2b22933 |
| SHA1 | 5c91eb6794d17a51260100ecee35dea8de70b86b |
| SHA256 | 5c6cc609ff6d28bab828bb2543d139d537694406318fbdfd0e7b5c94b6672295 |
| SHA512 | 23abb25de1fd3189c424e5f2e946b3fdc884335f6a927fe1ad9446468cd9aa7f618be28566181e779c280d430ae1b82de29c017254c9b6078418640c8ef886a1 |
C:\FilesXV\abodec.exe
| MD5 | b64fc83b413933e0a7e5a6f25583ba0b |
| SHA1 | 8ec82f21d69244979bb5da65c21f8034ea777182 |
| SHA256 | 779dc28bfc18d61fda4587a3bf40a75f63cc3eb21a19b18dc93f5a2aadbb521e |
| SHA512 | 14c3e0d3efbe9e42ada236b0b7668ba78304eaba741bd7aff346a3894f888c5d57d4d625909d3124d609911bd53f08267aa144ce71bb5b5dd8c82124f82c0acf |
C:\FilesXV\abodec.exe
| MD5 | 74bb446560435761135be706d42de917 |
| SHA1 | c220e761608fa4e8409d9c9e4144bd7a35cda736 |
| SHA256 | b0308ffb362db01cdd56289f13152bbf7036caf9bd983ef1e29ec5ef12fde0a5 |
| SHA512 | 2adf14198c3cb97700b1e1674b0788119a86ca09ea1d3b4f061486956be92d9740353a05fe865e190e410ad8d8db3a7edec83a18e3fb0931611aa3eae099f97d |
C:\KaVBML\dobasys.exe
| MD5 | ae8be8e2b1dab8adcb836a33cf6b9a61 |
| SHA1 | 515818c5f9405956f70943bb72ba90e9ba78e9be |
| SHA256 | 3f6a2116dae8cf70a291b708d7a433a4131aa97d54aa90c7e7c7a772133beee2 |
| SHA512 | 27e40b2e46154b9c2897e8399b1af317f88ca2e3ef7054a9448c2abdbf7f18785b448b4aee832cd94706b44c9e30fd97a6d1f85cb28c11b70a3e38f9b4c37676 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d542df43cc1e2dafde02c86e891a4fd7 |
| SHA1 | d1292fb158fec234d1439f7675524578c45b799f |
| SHA256 | 1a07183992ac770928ba9b782f2c20479ef34278acf767c84d4a6fd970456286 |
| SHA512 | b38acd8c8cfd3d1d997e6e887bb73ff31042b4c55d694c05b874f3adaa1f7fa66d47f17e9caa7905fb32fcecf0f5cca9f7add5775ef22a3b620dd844f9011c8b |
C:\KaVBML\dobasys.exe
| MD5 | b1bff5461f6eccee15bc13b90b862c37 |
| SHA1 | 9b68b3e8bd60c2c4b00d1ff961e9c20b00350466 |
| SHA256 | 31ee37ebd445cdf1397bb80f305ea15a1b3d12fced2d3dd773fe436cbaaf9498 |
| SHA512 | fc655a29154ddbd88a87bbe6eff59a7e0654e6306682a7ea2f70c240b99f1e7026089df3a2803df3ec6f1a12c75d0ea1438ffc856440b95121dbfdcbc15800b0 |