Analysis Overview
SHA256
bd869aedb7e9de4461effd656c188a7dc4798fa614defba50ccc789d5608127c
Threat Level: Shows suspicious behavior
The file 9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:31
Reported
2024-06-14 02:34
Platform
win7-20240611-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\UserDotY6\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJI\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotY6\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\UserDotY6\xoptisys.exe
C:\UserDotY6\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | cc7d016da0e8855191cde5f6a23d0e02 |
| SHA1 | d51417eb6140a6edbec644360353827587d880cc |
| SHA256 | b12af2fd4479b2d5833194b25e6353b0a8925f648509ce64b85305c85764ac03 |
| SHA512 | 1e0116bd5cde7b014ad98a4f64ae5eae546998c15b579a06e137a8cd4c92b8f61fc6406f9cf11d076fcf96e05329ad8a924ac25a8d6c11bdd85970927b09e53c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6b861a82c597526552e4c0f9acd66057 |
| SHA1 | 1a6f412a0661432d77c8f2c904249a1148b673b0 |
| SHA256 | 017f24a6d5624b824d70d0e0854690668734cb16bc310a898a04cc4b9dba5855 |
| SHA512 | cd5c294477bbbf7eeb05d762cba6fc1701b842f34b9acc4fe84a963c9f2650438f24e4728179bb979f964323cc6d99496962ddafa2ace23ed1d9f129b9564779 |
C:\UserDotY6\xoptisys.exe
| MD5 | a3306105d262041a4cd72d6341b178fe |
| SHA1 | b778eb61601eb4229886b43c1cd1f453b1877b5f |
| SHA256 | 861f9f2ae2b7c459ce9f76c8646f4bd0bb48308e0378a3c9a6fa00d2b6360e10 |
| SHA512 | 31b7d591a1290551daaf67e9a3889100dbae02d2eaf8839bd455fca9da2876e80bacdf8b1093b561c3b403f77edf8cf78f0e80053256e2dc3c07f6807762cb22 |
C:\MintJI\bodxec.exe
| MD5 | 1e57e4b30b25046b236b86afca77648b |
| SHA1 | 5970d30d8b881531e48e88397959d3df7cf8f0f4 |
| SHA256 | 785a594aa87e0337c8722ce57d260ab3567cb34ca7b4fdb3849aad08155405e9 |
| SHA512 | 670fd59d30b5a6db9bcd1dbbbf3b5e107d02a3bef907c62b6aebfbe47950d18452e5be7c86d9672ec843fec9681f98eae9cde1cc6986408ec4fdcb0c0feb8b43 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 48d3a91171f377f1bdf5e91e760735e2 |
| SHA1 | 6853e464b983f0f80521c901cf074bf2c3b3af83 |
| SHA256 | 3244e6f99f33852ca26c1376ad58b9877e1b9db7fb0b8dec3767767fe475d349 |
| SHA512 | c3c2d9a0125b5b64626313571d0cf1936b8afb778e95438de7a55bd885b5fec74acc64e08c1e3af5fbd550bce77683ad4bc74190acee5320651091c88abfa299 |
C:\MintJI\bodxec.exe
| MD5 | fb7a150c50ec2d20c4eae7c518fbe467 |
| SHA1 | 7e66d24e459eff0bf0d50bbb8fc3be2f8d758ff4 |
| SHA256 | a08c2fe9853f0a9df095eddd4d232d1383acbe26ca382f5853820f7cbfc16bb9 |
| SHA512 | 44c4c1cbbbd66fe3e9bfd9a96c772e645e49606b0940b880c5aa171f86a98e2b02edf046e2e246a6ddfb539475d06d701aef2abaa93e83e8a84659c67bed8617 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:31
Reported
2024-06-14 02:34
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\SysDrv2D\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2D\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSH\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9b5ded4287c5c3872386297e9a2a1420_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\SysDrv2D\devbodec.exe
C:\SysDrv2D\devbodec.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4052,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=3060 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | df25f5acae881c09035d8e180cb06d29 |
| SHA1 | 93242441149929cfb19c40c35ae9046acf8a72ec |
| SHA256 | 11c5c5470c1eb53501cbff6466b890005f58408214a311353b39070a278ad7d1 |
| SHA512 | abb6d629d62d7988278f2df58395d417165d3a6470ba93bf7ef329d8d747520b12e0d00d0d473e868f04e9971bff7a6cfac5b50989e34022c07872184d71715e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c250e4056e055915db54ab11b4426ae2 |
| SHA1 | 39356bfc81b9fe5506e1e248f5b3c81ccfdf9c7d |
| SHA256 | 3c84242275d80542f823545ce115db4387397b1b9fc1cfcdf0331a2e257e670c |
| SHA512 | 414b2d7ffc879252713aae359afe353bde2ace83d300de0029502a88e0e7f48ae9bba5ca9b5c0880025282f4caad7aae066f42d8009bc197d796ba5eca9e60f3 |
C:\SysDrv2D\devbodec.exe
| MD5 | 18a33d1959df79123937bc66e81ef5e4 |
| SHA1 | 020b41320b10ad5fdf08723393565170e2890351 |
| SHA256 | 68bc44551dbc9770db27668f51e09fb7a301aeeb05465c7391ea923076f20cd0 |
| SHA512 | 18c669182300059a5e789b6821615ea0223733ae8a6f91d160e6c9c2ea8befe739ed111367b5107769fd9a5997f42c33d4dc862138c43a2832593fe1853eeccb |
C:\MintSH\bodasys.exe
| MD5 | f3611b180f53e7b766446f16c0eb47e8 |
| SHA1 | b0a5575b4fca6d2ca1ebf68f998124b33189a5e8 |
| SHA256 | da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f |
| SHA512 | 80c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 98bd535f1de846fb93c22c094ba6730a |
| SHA1 | d2fc67788c117f4acf823d68a90cfe5fd3346cf7 |
| SHA256 | 8b58ad82ab24c759fed5ecc8f8bc7a573b2cc346834fd5eebdf8d79c123daa3b |
| SHA512 | ceb1b21c25a1a8b173f41b4f3e5438c58bfea11248b5371e70bc8973fb741c57d184eae79fd78ea724d86a07009ec3fde1d13473d7252a5e975bdd24ef83c512 |
C:\MintSH\bodasys.exe
| MD5 | 9066f9da2f6e14f558228b695e72cbf2 |
| SHA1 | 91038a2a5cdbee686253b1163db1462b67afdc3e |
| SHA256 | afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4 |
| SHA512 | 41a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d |