Analysis Overview
SHA256
af2a5a17672bca94c79417e1d55253ce3abb9451171f89c42b4e4af29de4226a
Threat Level: Shows suspicious behavior
The file a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 06:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 06:15
Reported
2024-06-14 06:17
Platform
win7-20240508-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\UserDot1I\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1I\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXT\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\UserDot1I\devoptiec.exe
C:\UserDot1I\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 3994e3df68dcd3d6b9bf887fd4173dad |
| SHA1 | 577407e67203d7e4c37510e5d8a6b7360de5e38d |
| SHA256 | 132d10662a3d43b404c6bcd97ac5f1c33be7d968a692a36387d60987ba9f4e26 |
| SHA512 | ee8e9342467f19d7f70ceebe03885343c0a52c81b2dc5820c9266f4376b1c548877a38db26471dd11b7785d93612d243d8d636c294be90a07e02c255b5d7a0ea |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b89eb9e120ae86eb9eae293b0bf7bb27 |
| SHA1 | bd2e63032ff4997d9e7dd9cff126dc23003dbc49 |
| SHA256 | 96db7701bba24a0d1461f492ef1ce07c58292c5656165222944436fee1058fec |
| SHA512 | 0427f1cac2ee03bff33786b4ff4a69ae282081b2119db8e83a9ec13343c84bdb048bbc1e0d457634fbccd3544d073d65f6f30fcd05d871d39aaf2a9134975dee |
C:\UserDot1I\devoptiec.exe
| MD5 | 7d98c17a3d905f329440940233badba1 |
| SHA1 | e5f94b8a8e484f6ffb07f077e0476387bd429496 |
| SHA256 | c3666ea136c01018ab3e03e90c758a3ca76f080cd7fd97c6852fb508b068ac02 |
| SHA512 | 9c9e6bdc4c99986416bd9488d7576ec1d53a033813049f35448c2a7425915760c05bfd54bea60e534075456b857fb0e692e92ea5112fae04d39c6fb1cae59a22 |
C:\LabZXT\boddevsys.exe
| MD5 | 7c51c1ada3842c39e9e357545dd58487 |
| SHA1 | 04e413b5bcd5ae2efc6b2b46e2ed9895813745ce |
| SHA256 | b787537ba388214ef32bb57e07ab3b12b8738ce8eaacd37e87cd79d85c1f4673 |
| SHA512 | 12b5efbf503fa051787e380dfc81ab90e95af7a00da74f5c60c779e6c19e30b52d0b9b43e7dee5db4f92956d108e192fe4a9a7959d89717ab8241ddde4efea1d |
\UserDot1I\devoptiec.exe
| MD5 | 3075e299354895a6b6c8fa48b217c092 |
| SHA1 | 008b2fbc20a48d370cd54b91c11b0fba54460e39 |
| SHA256 | 34dcfb6523bf5aa335c70ed6f5bc596d43450665161e1af429cee21e28606db3 |
| SHA512 | fa32ab94aa87d8e0f1650ab810037ab69dcf8fc4b09eccc253b9da8c10c2e1dfff5f866302b0e28045c5a3cc9a5332922689057156777c9fcb07c30eb9f5ad4a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fb3f559183c5cdd2f04b42ce57bf3bf7 |
| SHA1 | 6982a96eadb428ab3958682edcba18c279f5f0ca |
| SHA256 | 655c65a881b62ab6163682f68c656265c52afd6da25e38ddc29eb219602ebb45 |
| SHA512 | cc27941bf3399ece7332027b2380ac12ca39aa23c4e0ad2a115f6dbe11fb974cd3c7eaf59bc9086cb8f2ccbe45357e26e06425506e222d4d4c34b490b1a0769f |
C:\LabZXT\boddevsys.exe
| MD5 | c70ced455cd7c31422a361df8f6c43fd |
| SHA1 | 0000c9daea4d49811079b8b8c5b4c8103fd1db7f |
| SHA256 | bab0982fda310c350ee0eae8a305d04b48a02fecdc0a8968a3e5fce0dffcfa17 |
| SHA512 | 2ffa1f9adaa183ae44bac8c836496e0ed4533a5e429cdd48bb9f89586e60c00f6f55a67d4f95ce102916b0b66580b94679f5ced39d8a39e1996b4c12cd1a5912 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 06:15
Reported
2024-06-14 06:17
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
127s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\FilesSG\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSG\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX1\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a88fc0b324b999533f29ffba1940dca0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\FilesSG\devbodsys.exe
C:\FilesSG\devbodsys.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.24.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | af14edb5a4271f6b9fec7c3f79d9cf3c |
| SHA1 | 16f60da9cb7c316291cea51b359a38955d075247 |
| SHA256 | 3f8dd2d9adc280dc77200b7f9bcbfd0db1547a5b4dcd51b1b1b79c8605b31e8b |
| SHA512 | 8a35bb999f5524ae4c724462863b23ec275608f1ad0d641d1ad47b8c587c5fa04113db695885df2d86c0648efc241261649244357714ca43bd241721fdc106c5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1027077f7c908d93762c0c8fb2799db0 |
| SHA1 | 49999ae8ed43cae92d3a1a48249eb53f856ce3e7 |
| SHA256 | 130a17c83bdbd36baac90c2a3b4d33aeb8e23d50ccf375296151637217a623c3 |
| SHA512 | 0cd81b8fb0b3e8001198deb6b1d268ab4d95a225f16a6dee1a2caa3ac78561b82606e0afa371cf91e922e5ef2a6d712dcec2cfd6691e38fd483a843bed0744dd |
C:\FilesSG\devbodsys.exe
| MD5 | add0229142f6f7f954e5b7b6e3c8559e |
| SHA1 | 561b9529847bc4ebed110f88041baec428f5cf82 |
| SHA256 | 33823bf88a1d99a59098a9c6d883580cf96d11e28b5fe3dfafc95abe421a34f0 |
| SHA512 | 37c0fed5c9263f0a9fdde6f633e7eb9f76cf7c51ae638058e4b13a2c3e7e2c2469b5f1d80272696c4a9d0e2ace5d5f52c3136b5681cfaa5c6ee2450447535b49 |
C:\FilesSG\devbodsys.exe
| MD5 | 0e80a79569ef7c74b576f55543dc331a |
| SHA1 | 12a221b8b69d257f1c0aaa72233ec27347105fa0 |
| SHA256 | cdcb4df4afa95a890076009e68907135062fabba2f2c975176d8cd4be474bf54 |
| SHA512 | e640315e0ba54ae4242ac9f8837c8dfc167580841a5cedab21db78225aaaa811fc4532d6dff5fde1b95355fcaffa514381d85b5006ecf23b3dfba4efac0789f8 |
C:\MintX1\bodxsys.exe
| MD5 | 16d5aafc5fcb889e9267ea3d4bb56eb3 |
| SHA1 | 46def8e0f3e2dc536bd2d9b96ef2261915ac1edf |
| SHA256 | 0573ca3b3c767ad22afc40b93db028c4a67e373a14648f2f77a2df89106aa2aa |
| SHA512 | 08fff37497316b0e4e13d55aabdb26d90dbc741f873cc1dde8892f9c923cc1ee5331dc5e323220528b56611b30d2bd6b9065a4dee0addc65fe2d98ee219e25e8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b47a94f6951f8a00404d3da661a00845 |
| SHA1 | 47675263c9740cbb76974aa4ef2a75580bdbece4 |
| SHA256 | 6cf42d059dfd4ce30ae9079e5cd29b07f03c47545209e7d56e8e63e56b942fc8 |
| SHA512 | a669dc14a5d53e6d132e473ad240e281a02ed17efcfd21cbd0b50c423ba44bef989c4d231f9dc3ef20ac9681c8c2c67b9039be1929f2dd242e149456a6885433 |
C:\MintX1\bodxsys.exe
| MD5 | fb54faaad4f26283659ea636bad3c41a |
| SHA1 | 6133b4402e4b7601e2b200003ae1faeedb1c5f8b |
| SHA256 | f53bc2e6138ea8749aa91e9ff43fe9f534bb45541c39948fbc810054451ca987 |
| SHA512 | e76b0f941a215be31dc8cbb0ff417e5cd097023fbe17070041f54177c02662277e398e9092b6a2b4bb145b6e369d72509f8ef1872426dd73fe33a4590b17181d |