Analysis Overview
SHA256
14245e5a193ed4ee73d4a1ba63d27dc9b1a13dc10815c5b15e15da8abb37394a
Threat Level: Shows suspicious behavior
The file a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 06:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 06:27
Reported
2024-06-14 06:29
Platform
win7-20240221-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\UserDotQU\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQU\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8B\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\UserDotQU\xbodec.exe
C:\UserDotQU\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | d65bdac12736661ac5abb5d165db0d50 |
| SHA1 | 330ab15f1df85390f29f117b2b45789e3eab2078 |
| SHA256 | 34fa5e6b61e4828e3c4f6218fc965ccf4a01e8de4f57225e6bdfcf58c010ab1d |
| SHA512 | f27526c1657c1c78a2bfef3d90b9cb54ea4c626f3449f074fb7927fef7731ce093ac53a3fbb9298f054b9730e79801d338149f57e505ab3011e56e1ffe069e64 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c7e9f25ce9131feef326469c37a84316 |
| SHA1 | 5bd2a8d084cf27f5520812ec9ad5878174207fea |
| SHA256 | 4db8dbdc50d8a15d31bafcb942e37a52d737b8e48e3c60ee6bcb09b38a88d7ff |
| SHA512 | 8cd5ebd720d5450808941c3eb82eaf357be37cbe54ffdcde5d962b1f3ec6b6454dd2da20317b3ff3b4748cab6c8528b70c76f527cc0c86f7b6261ee17fb7a3fc |
C:\UserDotQU\xbodec.exe
| MD5 | eea4aa3d13cff294fb9de101050d3b95 |
| SHA1 | 8be9253d0215e54c585f56eadb2280278a3ef3fa |
| SHA256 | 4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5 |
| SHA512 | 8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44 |
C:\Vid8B\boddevec.exe
| MD5 | a9454fc79d56a1fc66dd277976656b13 |
| SHA1 | 4f97ec0efd84320c78ccfd126e65fa4fce4ac3b8 |
| SHA256 | 9f98f31d659604101cbb70cffb10569af4023a05172eeb164d4921c20eef6dda |
| SHA512 | 70b582e0098602d0e868141056a22f0d822caf5403f209b97b41f22418d02084f168be4482bb19b16c3e6f0857b77013023574c2d5fecd030b9b6e4e89e4a215 |
\UserDotQU\xbodec.exe
| MD5 | 419923b6879224ccb559b3a8060c0cfa |
| SHA1 | 884793a9938b0c65d1aed6487a47cd4f6f4ee847 |
| SHA256 | 3222ee6edec5c59e030d0cd0eae0db2b7869d41ac98489658c4ae5cf3b2117ed |
| SHA512 | 9a68cd1798cc03224b81236480e58c6f625a405f87bb74380137b2d710d1561b0fa18525c4ca8c585780755b06f9f1f445261e008f9bf554079181db6491bd8c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | eb54a73234b8cfd698e19e058427ec83 |
| SHA1 | 7e65fdf59d4090bf4a425b5310da383f47f8daaf |
| SHA256 | c323abb0294e2a3f0b7938cc018ab9696601076e6c1f94e8cb9f5dc8e999a563 |
| SHA512 | bf89500764a19b9b6826a9423f3b3aea9e8329e6227e89f86b5e33d9c23cf9f848c238308bee1b80e934fed30b378c002ca840fd6eee9e7182050457302297b7 |
C:\Vid8B\boddevec.exe
| MD5 | 5a5665c7137dbb99c240364297a4a512 |
| SHA1 | 382969d394b80571fb04064003528f6f7cb81c89 |
| SHA256 | 43da80304f219af92d96cf484c45a88d31282f654bab20c3b544a38bc2b1bf0c |
| SHA512 | 33b15087e7796b5765f6e892f3aed8ca9515db91a47d84744d014014ed36b1a91df2e1fe0609dd04eb0f54498f460a4cf2af8d67cc9f898e606ba34323841b95 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 06:27
Reported
2024-06-14 06:29
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\AdobeDP\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDP\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZOV\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a93f90b619b99b10add7d5c45b0db430_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\AdobeDP\abodloc.exe
C:\AdobeDP\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 4a59c30273bb3ab0505bcb9039c34bc7 |
| SHA1 | 9e614796e33e1b410945d6ddfb896ac1f914d638 |
| SHA256 | 4571ec0c4ab7c33c71db78be08d20f97488882df46fc6aaef5f7404a516ff54b |
| SHA512 | d9e77ca3e8b27ad8b059ed1eb4744773340497bad1df5c1e48f336ddea39c10acaccabf9c98ccb86492d23885ff6ad82761a8408533cb782195d0540d6284f1e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f8d0d1227e444b640564ae99fe12ca41 |
| SHA1 | 64b29868f5cc2cd12bbe50c9aaf004ac22ba5da1 |
| SHA256 | 997977984322bd0b2297ab5e0cc0429849035fa4e7a1cc7c5112486b912b5885 |
| SHA512 | ae72aac417dd852e652e2e549fd16a0a35792a693500f227d8705ecb1d96b549a35168e8f6cd16b68cd7080349dc905bfe0071c6e9e8e190a400b0f05772b5ca |
C:\AdobeDP\abodloc.exe
| MD5 | d402c472073d6693b40f731068ced017 |
| SHA1 | cbaa503f0cb2204216e1867376161cabb7563b81 |
| SHA256 | 7c08571845c87d105a64d592c8a6f1c2710e44e2f5007bbf07c9a751d8544963 |
| SHA512 | 54f1757a3369c56570109485daf67ae35c9bb3511f033acec9544e95a7e6e1b1be9c8fd67ea36234dc7afb3f2ed31bffb67642976633b78082f23f20fbe541b9 |
C:\AdobeDP\abodloc.exe
| MD5 | 17a77471b226425d04c2cab5ea3fe51c |
| SHA1 | fedc8c79d42a8539bed730f2f880b4c69281e47f |
| SHA256 | 2a6c59d175d9fe9f9470bb5d345dff878928ee1c5196c2b276d73e064363e495 |
| SHA512 | 26c62d61a7239662eae8d282f037bbd58414bb12007eaae7e09920c3f2fb770bcc226ddcb79215fd9ccbeb36f610a9bfaad31c0ec9f49a7e41edc0d72261d022 |
C:\LabZOV\dobdevec.exe
| MD5 | fae0d5e76ca495264e85c535cd128bd1 |
| SHA1 | 6767f19f3a1a1c6b639710e58426d2d15d3effe3 |
| SHA256 | a2a910cd81487bd92434bff1f10f91f81ee16827a99ed06d8e6155f4a58cf049 |
| SHA512 | 36b7f85390ee0238722126576aa17b577cc91a4c0338d36403311e105ae591a20cf6bf62169b13dfecad2ed3215b3e6dd0f51fa97384c4f24bbcf61fed34c662 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4065b4aeece9d9511ff57cc7d3f46620 |
| SHA1 | 579b63576280bdfb32dd63eb3a727a3bd3466b65 |
| SHA256 | 560b3f81768fece9536c42279c923f08262d4216d2d2b0c71c2f1a11893dc301 |
| SHA512 | af288537b30356e9e49a2991a6ff92c470a548a30a66ae47e9564defd8f203b643e6e9264b76ea8e6956a6d4c40a83ecc1dbee9cb90f4884617dff9862f98c19 |
C:\LabZOV\dobdevec.exe
| MD5 | 0c2f7a70b7bb8d63687941dba9a0cfa5 |
| SHA1 | c321bcce47ec490f41382693ba1755d099c14363 |
| SHA256 | 4f50a3f8e4cfdc45e6efcff4599669ab9dc2c04e6e34395929a2e75e3c9e3fe2 |
| SHA512 | a4063a75140a2fb90c0f666871eaa31f3ae03f3a74b898eaf43c338e4d866406521ec0803b930659489a166a4e3461937bbedcde4a6e55d289240b56c18841c9 |