Analysis Overview
SHA256
c209f8784c6137c1474c554169fc8c5595f7d5a736174dd55c4f2ab86c54069a
Threat Level: Shows suspicious behavior
The file 9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:49
Reported
2024-06-14 02:52
Platform
win7-20240221-en
Max time kernel
148s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\AdobeGY\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGY\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxU9\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\AdobeGY\abodsys.exe
C:\AdobeGY\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | de8ce670df2a2ff6730b90073df744b5 |
| SHA1 | bd3201fc7cb8361222e0ab0c025f1a8eb0dac443 |
| SHA256 | 39c904b158fd709419d970775ab002cf429eccda3ce87e29e559358d7346fcb3 |
| SHA512 | 4b3bd952185765ee18cc70b5e25a94f0443228bc050d38f7cbda5d3491121edb47e81206fc4fbda53189629a477266b0e50f76bd8a8d20e38753d29999fba182 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ee0cf23979604429a04207cd022f7b57 |
| SHA1 | d3ac756d6d8caa3abc47228d27a3b3c7fbf52347 |
| SHA256 | 4cd9a16751718102c5122dbafb77d06c9f76a549dad63653354d303c05e5666a |
| SHA512 | 15b0cfffe289eeaa97ea2ad7dfe0f9ccb4844b631e7cdd2beb2287011db3448b02444dbfab51aeeda3fea3a4e01d1c74083393d158fe6c0df3560aa4ba513ae5 |
C:\AdobeGY\abodsys.exe
| MD5 | 08c983435dc542ac292418d8746b7b5b |
| SHA1 | 4165b0c035b3f1ff00e1d59b83ab16cadc78ae1f |
| SHA256 | 9c978ddb104b9c0f665cff46f8f821462eaae73733350391c824876202c2a909 |
| SHA512 | 0bb7568391b8aa2814e22bf8228b6fa2f33c07b144aeee37d3a137252538f3d021550818458a13d487fa2829196a5aa07a46ff597ef60568894a69a3d5a49a2b |
C:\GalaxU9\dobdevec.exe
| MD5 | 3dc04bab13dd4eba51b2c578f38559b4 |
| SHA1 | 12d12e1c7f5e61339e353f4ab9e4bdd54125a172 |
| SHA256 | 71bb12ebf704eaa83ee93a10a89c375cccb998b7ce8f6da6e8a06e25f1480c74 |
| SHA512 | 5f5f235c0b19d6d56c7e43d2a474fd9f029ab889900ce6d1ded5f645b0e7dbbc7a0b038c064a619e25b5f398b5fba8c3ad651033ffa9e13da0b661c6b1e2e58e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | eeb861ade3da8591f8f20d2a65a81727 |
| SHA1 | 922eb486f71158a5e6441edfe94d36f74d67bb97 |
| SHA256 | 990e49b78575a6826f2b1c2b40a177fd9f089645ff5cb788fe26021453d6a3ae |
| SHA512 | cf8064a3cf8bf3abaacefb766d2573aad91fe6167003659f5c3a2de33dc17210bf86f1aa734f155e4179784ff15418ffd16bbdca320489716c103e704a7f3129 |
C:\GalaxU9\dobdevec.exe
| MD5 | 1fe0d14acbae1f4503fe3c851d715a39 |
| SHA1 | 6e9ecb695f2b07b82aa67f8a0c7c244f7baada13 |
| SHA256 | 61af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574 |
| SHA512 | 5bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:49
Reported
2024-06-14 02:52
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\Intelproc3T\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc3T\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint6T\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c8cb66857908f54e6105df65d80c540_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\Intelproc3T\xbodec.exe
C:\Intelproc3T\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | fb6c53b576d97010323ebe42f9499323 |
| SHA1 | 9884f6739579cf4a6141bc71b0c789e9810bb8d5 |
| SHA256 | 6db0ea938b88429c8d3fd2fd9e67a136965f20e9a2130757f0cff2753bbe1fc2 |
| SHA512 | 033812c1b32361708eaecc2e9e37c6324b47266b75ceda6ac1a2dca938f860f9ab5cb31f9a797563c879bd09858b0b1b5533ae962f0e2c9a69f388a6ceb66336 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8e384797a996f4363d5fe87dbe423e89 |
| SHA1 | faf8f3a76bb162711299b43b84a827e5f5874f82 |
| SHA256 | 3a517c71bf18f02fb0081095bd1fdebbc827927c714df69a0cc3bd33c18a7ccc |
| SHA512 | 27c969c794563802dde890e6e5fe70763cebb57b300866fe5d8e63b6e2a93d33cac56d0ea42c46eae6e35795e01a5f0f3456ae8ee2fdbf4aee5ff4e733437eaf |
C:\Intelproc3T\xbodec.exe
| MD5 | 8e9ad0a2d993199de521c509bb1cdc7a |
| SHA1 | d9587f4556d7a025474342dc1ea7860218938b7d |
| SHA256 | 88e5237df76de1722ed47e054b1a939bfe3d4db3e7239af234b0b395b3646268 |
| SHA512 | 6630d0095174365ebfd0679969347d677c1e82ad87e20335398c0a94adda6b2c8da2c9cb1ea0019d1116173b36ec182459228631c26d48ee22edc8fe1a430007 |
C:\Mint6T\bodaec.exe
| MD5 | 6d497fa0fdf1f3ebd025f1292c0712da |
| SHA1 | d22b933bba2ac88401d6114137a76a831b275ad7 |
| SHA256 | a372f5015de51f08f5acf92f60363d26d2dca84357a31411ca3125fd4b2c9906 |
| SHA512 | 9c00eb441c775aa6cf3f17181b96d7db3132e049397be661a97666c22b62692a2c30c89b606cb70c48589257747d1e12b051327b048b99cc071c95391d5524cf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8fbc5e83f8be01b95f358e685b5e6913 |
| SHA1 | 97770caab78474b03091f8ef2cc8c05bd87d61a4 |
| SHA256 | 7fd819dfac092987ff5b5fee3f1c9ea3d540ccc2f7eb6578b2eba75fd5903488 |
| SHA512 | c5f168610cd026f4025a628228aa41a1db19e1e74d7c4d62527b3ca959403ef3538dede5a1c018794bc8871259c66a542ceddeb4f08aac3c3e130a6898371088 |
C:\Mint6T\bodaec.exe
| MD5 | b807c6b171034123850687821d0e8913 |
| SHA1 | 0720358194697539f5f91dee7ea6b958509e28c7 |
| SHA256 | f217bf6ecd23f53a54048a5136dbce8a99f4e0594c97a5a63e3576b43bbf9c7f |
| SHA512 | 636a39a38c99fd044a856947861589e72d6324c7d450cd5313825186283d0e9279e0f103a2bc21518cb1e948c06f27c5399d8ebef6e2181c89b9b76c83ce2e4f |