Analysis Overview
SHA256
67aca80de496f19d414a00de39a384b330fa0d93ab75138672cfbc6e53bc383e
Threat Level: Shows suspicious behavior
The file a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 06:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 06:21
Reported
2024-06-14 06:23
Platform
win7-20231129-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\SysDrvOF\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOF\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5F\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\SysDrvOF\devbodloc.exe
C:\SysDrvOF\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | eb7b35e6ffc70607af97e88b7910a90a |
| SHA1 | 18d39627a9c9430b8602fec4969c84588b27ee64 |
| SHA256 | b6f7b44d5601c17f8e1c4b1edfdd3b4d0d59726bedcba2197590c41f2dc1363a |
| SHA512 | 8d17fc0935986cca1183923f059fd739ee83b09f094d59a8f63d1494f3f8214107f7d17dbade1035f5cc77109e3bc92c634e1433c4066c7d6e802ae0c39b64c8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ca15cacd852afbfe87170cd3b10d8908 |
| SHA1 | 54f1e3a877004284201b59d7bd1f08aa2b057e28 |
| SHA256 | d818dcf8345141240523b32219b9e1dece839fbdc3e2809825b3323d076572e0 |
| SHA512 | 3c9171fc32bec543e49b7c3d480fddd3c413f167f375016be4379a87b295ecac0cf836d044be1376ca01c5f5187d89d94d44deb3d67546734339d2ffa1010c6a |
C:\SysDrvOF\devbodloc.exe
| MD5 | 36efa8998c2b5319b4b92643b7329e77 |
| SHA1 | bd4624ba2d34325d665ac5965dad606d35a4a933 |
| SHA256 | 10cc99c72bfe0b5a202f9a1f88c23f50db6b750eb0e2b515cf28559fd5811829 |
| SHA512 | 169c040fe1fdf78cde1a1d73574ed7edb82e93e819d86f27aae2ac100f559a14824cdd969f869dfc5601b126ba65d3e21c86bb6956fa79beac27a6f1d5f52460 |
C:\Galax5F\bodaec.exe
| MD5 | 7194af4ca8b5784e038c373119d798e5 |
| SHA1 | 9c114add88126c1358d7020ca7697c5b0528ea2d |
| SHA256 | f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050 |
| SHA512 | dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4e0307093d384b1d91f58f37c483ddf3 |
| SHA1 | 9416bb26545b3cbeecf45910578240194d31fb4c |
| SHA256 | df5f4905c9e711627151fe82e9dd2654121c511c9fb29e44b908e0167890b541 |
| SHA512 | 7e7e4a1761dd9906fec97f0d060cd2ca4786964011d1a380c558bb34392acefeb035f30b44b8dfaa2eab8dddf7f2f87634aeeb7cb44f24bf26039e4d00d998a1 |
C:\Galax5F\bodaec.exe
| MD5 | e5af57f96678235a627e84aceb8255f7 |
| SHA1 | a8244fa73d1e33b9fe5ee9ac403e178329f0290f |
| SHA256 | 72ba234011dfa8ba767b4e87090cd5a2e720d3bad941f03c173d3aa8d9793e8d |
| SHA512 | 35e80eea1f66636eebc06e49f71eafe601df70836b8d251d8b2125a9d54f1bf3498caaa76c5dff2b640c5d2c398178c0ff7f97c8993d72393f21d2d17fad79c0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 06:21
Reported
2024-06-14 06:23
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\SysDrv90\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv90\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWX\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a8f7987b4114e89f5e85967062d68a10_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\SysDrv90\abodsys.exe
C:\SysDrv90\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 3bc31233a0f74d2a6306920bf0a49aba |
| SHA1 | f0e30ab7e933e6755d55ba0bc5de7eb4c1f47d7a |
| SHA256 | 1397881304840dbc113ead6b508d91c98fe1986728c5a5261b5c83469c1de1ee |
| SHA512 | e3aebb53ebe1910864adc1ec4270d754225c91167fc63d5905bab93d43158f856159193adb643150ef521dc4ba2aa954ea1acebf7d5eff011e3e760f8e1eafa8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1794777258d1446a8e67e8bc4e481e7d |
| SHA1 | e5e663d080221029bedd439dcbada256afdd137f |
| SHA256 | e0f601bb2d19019ce27dca6326b2e8ae8efd70451006baf2eefc543bfdab6cb6 |
| SHA512 | 5be1713886c85fd4d7f1ca47aeb4b8b6682aaa29eb2a8c0743cbf38d940959ffb5c3800dff8f3f9c5996ddc07c1fa14d8966c1edb5dfffc7fce6240ec4204913 |
C:\SysDrv90\abodsys.exe
| MD5 | 83ff38417cff98a858e220a1da24ce30 |
| SHA1 | b8969cb556a84b3bb1a0d052babd2aed043f7b36 |
| SHA256 | 599c0aebdaa60ba5f3967c6791b68ac4152528488cd0293ad3eda1fb227b9853 |
| SHA512 | 0a60109b3ba405ee5ac97791e8be2fe725d8b1055c0a5ae7c34582fef189674e4d2ee769a769bb6bb4e93dbbbe862f4e4c1db8dfec8c8334a42400dc8c224433 |
C:\SysDrv90\abodsys.exe
| MD5 | abcc7d2064c56edc0da06df2927ab562 |
| SHA1 | 0ffe234957398b2882f03923493546da8594088b |
| SHA256 | 0dcfe455819b826adef290d727bafe6990aa922960492c51719d1b02d3c5e518 |
| SHA512 | 9e35fe036777616ab440214ef2b8daad5d2d27d3a0695efa4fad6655faeeab9a970b0a02cb978465889c970215d9a934c9d20f81ae954363f8531278134358c7 |
C:\KaVBWX\optidevsys.exe
| MD5 | dfc2f937dff46f89543e01ca71ae78cd |
| SHA1 | d377405c6471321f5a2b1f0483b30fe3b75ec436 |
| SHA256 | 00c86cb2c5f87a7cfa7f3ff8ffa83bd4ec8a15f85022b67e16b5ad445a366701 |
| SHA512 | b01a15250c6dfc925683bd738e8886dd68bd34689c21877aca13f63f82a6645bbb15baab3527abb632f8fa85caff2278cfb2936cb9807d12c69e2c7759adf1cc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ec898cc1f775c616c2dbeeb49fe2df7a |
| SHA1 | 45cb3839d114c900ea30bc632ba4152be95d86bd |
| SHA256 | 0f22f1bc5c12bce8d5e059336cdfcc4142fd746af5849f51b2db69eee4c61cf4 |
| SHA512 | efc38dcc634513584f6ca52d010b70214e1b194ae3def6714538111adcf8c254cf5f4989369321225113456277f116018cc4062cdbe182d22b0376c82d4e68e8 |
C:\KaVBWX\optidevsys.exe
| MD5 | 4c440116d3a48f175271d23a55ee602c |
| SHA1 | c5c165d1d3bb17b1d166a121adb84c4959d01f61 |
| SHA256 | 8eb597910e8049b449e3a6059649146d57c67afea6525b5c8d5852f7e5e21be6 |
| SHA512 | b548755c730126a99fde44c212dccac258178ad0023a7d19dec643904398a246716fbbcb8b1a2725b19a3e72014e1914d2ee6ceae72e2081258411fb5b252961 |