Analysis Overview
SHA256
41caf77ad4f97c8812acef1f805edad7f60502a93ffbb161e836d6f06856e02f
Threat Level: Shows suspicious behavior
The file 608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 05:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 05:01
Reported
2024-06-13 05:04
Platform
win7-20240419-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesT9\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesT9\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCW\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1008 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | C:\FilesT9\xdobsys.exe |
| PID 1008 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | C:\FilesT9\xdobsys.exe |
| PID 1008 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | C:\FilesT9\xdobsys.exe |
| PID 1008 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | C:\FilesT9\xdobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe"
C:\FilesT9\xdobsys.exe
C:\FilesT9\xdobsys.exe
Network
Files
\FilesT9\xdobsys.exe
| MD5 | 6625a63d4cbd29f9abc16964df82fc49 |
| SHA1 | 90d8988d5204c0160cae2d02fdf9636234d3010b |
| SHA256 | fadf679edaeb38109cbe835b03c19eb4b0aa90c636b2c71a5e5291ca6c52bd9a |
| SHA512 | 949fc2e37842c6b7e9870e2e5b56de2637e233e82b113de3c2c605701bfc68c049fe024b9223b6e1011bf918d4709344be720471a73087a575adf60219f91177 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 570e0fede63ab495ba80f310354213f2 |
| SHA1 | bce80d82fd548b7d2b0f6d1cbddbf1a7154c1e0d |
| SHA256 | 1d0b387f6c500bcf4d51459cc9f21ff5f939452b4a4a5cdb9b52ec43490145e6 |
| SHA512 | b6e74d0e709b8eac7b3da28b3b957c0af047fed599123b66e365d92f4b8f738a0b70234bbb061b45e210f47ad0ddfa2d439af545b0934e0bcdb395e03c27b688 |
C:\VidCW\bodxloc.exe
| MD5 | 9fc72f754153442ade013bd0a5fea867 |
| SHA1 | 9ff3c5098e5fb8fd2fd9e6d04da01df26555b25a |
| SHA256 | c5bb505a109a292e2c818a14d23c8f9acc46c426307302d868e167577b795329 |
| SHA512 | 3bae2fcf8df59b29ea79e14d932811400879dceb1340afb87e047dfa6e2ecfa1b5822d6c6607d24232c60335642be3b150cf582fbb25ca9195f51e5556e44b83 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 05:01
Reported
2024-06-13 05:04
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesJO\abodec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJO\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZY4\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3128 wrote to memory of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | C:\FilesJO\abodec.exe |
| PID 3128 wrote to memory of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | C:\FilesJO\abodec.exe |
| PID 3128 wrote to memory of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe | C:\FilesJO\abodec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\608446f3f8f0b360287dfddaa44c3580_NeikiAnalytics.exe"
C:\FilesJO\abodec.exe
C:\FilesJO\abodec.exe
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
C:\FilesJO\abodec.exe
| MD5 | 96af867861421b01dea8dfdb7448bf56 |
| SHA1 | 73cd4747e92371186f6a7be46b1a2d0625a32652 |
| SHA256 | 2ee888ab9c5c1c4ae59ee4a8babdf42c72c2819457e876a044f24b2b6cb486d7 |
| SHA512 | ffb766a5a6865b7d566abe9039770be070fcda3d8cac9d9450f416c443cd81f76556ce0920417750b12f07a27be80b2a2125c091971f293e90ae9921fc2bd299 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b71c0091c528709ed7de497be3f12281 |
| SHA1 | b7ea6371d97178006a49289ce0f622b12a794dac |
| SHA256 | 206cba8e0caf9fc6e875a68bbac311611dc7c319bd8bb1b8766182946a3eafc2 |
| SHA512 | e29bb3b131a02d3da26d59faa577cb18cee61eee54e43d57534e6755c26e513493fc63f680ab6240ffbe7b2941140b8f8ed64a6e830d1bc10d1207eb632e6637 |
C:\LabZY4\bodasys.exe
| MD5 | 2e92ae2f0d95294057fd453e45e9e664 |
| SHA1 | 76a73617346c895c4e3db28709d82fd5daaf2201 |
| SHA256 | 3b89ce62094baf047c974399f3cd50d16941378fcd49833abe6212f032c94ab6 |
| SHA512 | bb3f1a46ad1b2f7dfaa2001e17ec26fd20818f286864ee25e0d0a4ac24aaca50406fa63ddcb12ad5cc81e78bae9384e51d16c0f98df69c197a590c36221b1b9e |
C:\LabZY4\bodasys.exe
| MD5 | acbce26cc3998e58a9b434b3e7d08c16 |
| SHA1 | 93326e1d59e926685d58e3d9b709f5cdad0613bb |
| SHA256 | bd3219f5756d5ea194a308e3ac4c1799f67a120e94810ab327917eda999b4c8f |
| SHA512 | c3ce6ba6b2b9817a295c8f1216d6dff6f692aea9c37dc24cf3e984eab6572fc0773d26a51e189b64e27cafa3e3c53cd1af2595bad33cc3a16e0a7e858f2b8af2 |