Analysis Overview
SHA256
83800a2d9c6e7b863a735563fc75c93239d00903294b188569094eaa4f7cd0fd
Threat Level: Shows suspicious behavior
The file a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 05:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 05:16
Reported
2024-06-14 05:19
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDot8I\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZK5\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8I\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDot8I\devoptiec.exe
C:\UserDot8I\devoptiec.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 05d2c563fd1a5917c1beed6e58f40333 |
| SHA1 | 8d0e8cbe93f37e2e1f3add95fa7b03d0ae0f8295 |
| SHA256 | 4f5fc4eea8c8341a22d17e4fdc946e6552b8fb2ea70cc2754985739e1c3b0067 |
| SHA512 | c0ba6d4d8692a052eb53230b96425e35a7b245cda49d03d78a9e2c1c598016b5649cde4750060a18e9e0593bca9afb1e9637428d3e05c19095e8a4d17b0a42e1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5bca24925ad980443b4fb77eb2f42c7d |
| SHA1 | 9774be01de5f9677fe553e9fe86b97430ce76c15 |
| SHA256 | b88e499c1db72aa0b5c7f7ba7a650a60aa49a4857a31533198db1ab6a2b78415 |
| SHA512 | 17061660f4a27dae348bc3c30598d40d428f8f0408ea56abd0bab2c7295e875dfc7d97a80b5d9e12e60fe3ecc5386c9a909356efb39ed91b0473c8de8c8284d0 |
C:\UserDot8I\devoptiec.exe
| MD5 | d0a3d749900eaa76c508be88f4113d51 |
| SHA1 | 2ad0d2d720326fd3d0528cb1379be8e157dc4b85 |
| SHA256 | 992dd88643baf92d7e123672743fd1ad9cf3e7cfb5f81b876ac395be4b1faf3c |
| SHA512 | e552fcb12d28296826e24089805a6efc87afce69fb2b8fd5adfb91336fe7f16df1efad7bf75595eb60880d472195f59f3da79a6d5f9e53817512545812038ac3 |
C:\LabZK5\optidevloc.exe
| MD5 | dc42b54bda48009251856ac686a0c35a |
| SHA1 | 004246d1923fad4b17a7d478c2a33b95997de89f |
| SHA256 | e49dfeebb8a59ac93dabced90fb7c576884c807db5b516f0edf2de7a5414c9e2 |
| SHA512 | c1236e8a09e2d0619354f1836ed734117194173a29a01f5961d328f3bc73d2791ffa91bc0d71fb9fb2adc60825744b5cd3e5b550ab096b1a5d01f31061616b06 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4c6e47a06561c375705bdd11d752fda2 |
| SHA1 | 8ea2eba0567e9492d45aa14e69a7f77d0f95cbfc |
| SHA256 | a18a8ba8d9793807912341d1f7a92c2dee43e29d1c097495c5e81dba0cbb6a95 |
| SHA512 | 2abb3bf1b0a315a996151989b18039b00d43412e397afbe1a738a1d31c394eeea1f2f62a9ed18a391a8d268725c8af539ab6121bdc65e7897aaff464c31284fb |
C:\LabZK5\optidevloc.exe
| MD5 | 2873fb57ea06e0913c9b5dde7bd73c2d |
| SHA1 | c2794b886d0f3c44e805ffe343756fd81b5c87ec |
| SHA256 | 08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587 |
| SHA512 | 9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 05:16
Reported
2024-06-14 05:19
Platform
win7-20240221-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\AdobeU7\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeU7\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZA7\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a5061bb824a38aa275f0208d03b1b680_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\AdobeU7\abodec.exe
C:\AdobeU7\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | c8076207b4b6a93a63d82d81b7a3d9e2 |
| SHA1 | 6e2a3caea881a1412ebc973b63b0600e35a8abce |
| SHA256 | 60d751e0aa43cf3970e02d2b2a1b85f4659435f41b2f339f5172007c3045cdab |
| SHA512 | 97338d6f02697275871e2086b7d789bd21fb5de5eaaba6678fbfd6f69eace1f63178154cfa491625ab207d29c9eb727c72b8860fb984b122d44e72217a8ea734 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4782029163822bb404b78644107c0427 |
| SHA1 | b2a73407f100f9c4a8465d5f288c75ff8c06ed90 |
| SHA256 | 7ae8c7b807c87d22480c7fda2c7aa9bc6e91f72b51da8d6d1682786729c14e1c |
| SHA512 | 97e142ef565e229494f9d41fc43bb5af70d838e7deda49b046de089d46012b60bc32b50433dd0a5b6e378616f19732285cd3032642086b084ca39f4b654aad3b |
C:\AdobeU7\abodec.exe
| MD5 | e4d94fd973db7dc7dac1637dee2955b6 |
| SHA1 | ba3113516c8f91b93da1dd9ecc3b5d358f61b7e0 |
| SHA256 | 7d9a5b0f5a8ca7fa4f430e86de59b0d320122edf3c952bd86c7aa6cbdde83cfd |
| SHA512 | 35c8e5c8f9acec0d1ef5f4c66e139dcd56cdbc8fcd5163630a4aab8e3afed66497f3298c091d548dff566b004d8a7809f6be85fa3e028b6d45cecc4a9a573808 |
C:\LabZA7\dobxloc.exe
| MD5 | fb6cdf9c469ba24f501f780bbe4740c5 |
| SHA1 | a6d8041dd364f222c423b8f3a99f175eb508868f |
| SHA256 | 0f245aaa02b0911d5dcd8da48af4a21a44bd92d826691a146f4da8bc1bdb2eaf |
| SHA512 | a0d6b6ff22219aa884c0fc8b13546f40184cedd4e7f1545f9c067eccce820dcd89af813e2c608d6e9f4a89636b8ab93c39b2472a483a6a5f66cd6fa2cf9d324f |
C:\AdobeU7\abodec.exe
| MD5 | 155e1fdc5702820bcc7404f809440942 |
| SHA1 | 70df559b0790e66854317c0a1db871181c61138b |
| SHA256 | 5915043edd873b6366e17ffb595a85f00b8ca4333da78c2000c56ec54fb6fd41 |
| SHA512 | 9aecfec64cce772c7e1dd441029741cdac5fd80c996979f38ea0b9986c79fe3dad64e507111adeec69957473602160fa65e1ff217743010b238f4e8d7ff0e2de |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 380905d9db4ed05538c1588c1aee2aa4 |
| SHA1 | f653a86c80f888b2b563fa26b095894354f45421 |
| SHA256 | 2735de2151711730387f98fa15b498fea43b8e8efa7e8435a042a8231f93a1b7 |
| SHA512 | ddb45abe2f3c3aa903242061576159b6fae8da30ca6562442a1eadea6c1ffedfb78f2609fe8cf3f77416cc17d4f50ed18f56b0fc4716793a3680006deb7f0428 |
C:\LabZA7\dobxloc.exe
| MD5 | d76ae3abb7d283ef8d1f5b34009c9506 |
| SHA1 | abebcb81ad971f30d919b427f33ef8e758e727ba |
| SHA256 | d74e5ff3bddeda41ea35a8e245de91e99ee64048a2f3b5bfcbfea646f1118bd8 |
| SHA512 | 826571d7a16884febea28e97b8c33a113a8cef1c1cd06095a26ecd4ed10f0e9c434adb99514ddd22beccb58b2477d88cf944d05062acec2c6582d146452fb88c |