Analysis Overview
SHA256
8068a13bfa8cc3ff5bd3021c20d7e6c518b10f6d0a2482ca2be131ef400cb436
Threat Level: Shows suspicious behavior
The file aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 07:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 07:08
Reported
2024-06-14 07:10
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
51s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\AdobeLI\devdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2X\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLI\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\AdobeLI\devdobec.exe
C:\AdobeLI\devdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | b6d6c7a92604203cc1ebd6a101558a69 |
| SHA1 | 93654c768fa980d4b54c3915cb3f693c2f7181d6 |
| SHA256 | 5965e38ddbfba855e09620d1257bb6dc19391641b222805bd83369feb28ee34e |
| SHA512 | e82118cbdb6ffdd444b3c1811d2326a89c391f3da2d87ce07adb2b2e1632261801b4af8070759250ab6bc78c35ac58cb5c80d650f002c9597e5438ee01bb1775 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 62fb4dc8829041cea82bcfaef63b2906 |
| SHA1 | d637b8a368e541dd299874acba48cb09a204b21d |
| SHA256 | 7a7160fbb84b0fbe23d08862b9b8adff9ae06afe250d7052594626c5000d8f0c |
| SHA512 | b0a841fa507a31a6ed487b8477b81526466785d9d077c6cbb0c17c203c708f3a5eb70d71d184ea6c4ae35dd8904816e0e57461006483ccf8227d4bf12017bbcd |
C:\AdobeLI\devdobec.exe
| MD5 | 48a2bfe6d18e9b2809fbd0af032881c1 |
| SHA1 | 4f4d596139e17f50ef35c41f705c8db4664fb118 |
| SHA256 | dff55c7dcec9a669f79dcf5e7ffe14051a4abf04f89b981b5766154fc4c6aee5 |
| SHA512 | 77165ced695b1960197fff977a5fa7b93e26122fedf09b29d80a9de1ac8d5e2da20f8cbb338aefb9f10e546b64852d224c513a2b9f7256c5a087eecf623b68a7 |
C:\AdobeLI\devdobec.exe
| MD5 | 4ecf984e25822b7983abebeab8fde76f |
| SHA1 | 962877ace2c499caed927d5c40d9d91fc5d36cf1 |
| SHA256 | 476c04b3cf0c17dc1f0e4c2c0b5bb6a3a6a6d4826fa32e49727269d2d946734b |
| SHA512 | c3f4a345a3a8f26e5dd6243406f811bcb512d173d2a6c2e417741732fe3eee3a2c3afbbba1a12e5616a3869eae32c79c8e2dc1c6f2c3dec1ff02919187fb993c |
C:\KaVB2X\optidevsys.exe
| MD5 | c0b763213a6ef2b2d6286f49bc7ccb67 |
| SHA1 | 6cc83b57671efe2294be6cdd4318b015f76f2452 |
| SHA256 | 12f09ea4da55ce33a2dd96f47369a34fb979e6396d76e5a51e444b50502c844c |
| SHA512 | 2f73455f19d8a76d5cd3d968fd4a43cb5ea38ac0dd5772ee1e190df55c7072e25f9ff1e5dc4f106aaddc05cead7c74201488eaa5400aa2c5498a90720b87fafd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 18f2b012f8ff4c0d45d1edf9975c5305 |
| SHA1 | ae5af155f54b5843c2e70534d42fca0dc99dd3e7 |
| SHA256 | 4315fac6c192a2aacdcdab7f5236a225d03cb7f537c9b3c001dee15ccb89646e |
| SHA512 | cc2ecb06a60ccf495e862b3c8a05f184fc849806013b69e09762fb1b7d27fb65322c13f7fb1d80931c726d1c29b740b0d8238d01a736898417a1eabfa9b957f9 |
C:\KaVB2X\optidevsys.exe
| MD5 | 3b52d04a0e9fe4a464f305453e4bb82d |
| SHA1 | c1101796f5e24bd64feb41b915f4ef9b18a7b1e5 |
| SHA256 | 9e7fe6fe7e906fb843721919f7e1194648f3d994fb96af682b8603dc8d681aa7 |
| SHA512 | 14cf14e243718a2884c10e8a109fb5401a0d9fc3f19af7b7a0173b5127d2f88636654dce1b69b3b94e8c2493b50da9200bd5cf4235e937eed4e0601ea380be0b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 07:08
Reported
2024-06-14 07:10
Platform
win7-20240221-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Intelproc7B\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7B\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZ1\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aba6ab98809f9dcbd40421dda81925a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Intelproc7B\xdobloc.exe
C:\Intelproc7B\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | f3783b3649bbba086c2e1350b9ae5dcc |
| SHA1 | 9e9ec753dcdd64903eecaaa02fb0d4979842c1a4 |
| SHA256 | 3197185fc6f31de2ad2f261943640d204d0b39d77113fd709934b7e5853af9d7 |
| SHA512 | de138ae7021e01a28d1ae90bd76be1eb349c65c3b3f91c5e13b03b10f610e5addcd85729b83f2a368dbb6a921919916d0114a65f3a2293b13b148ac5e13055fb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2a5d7f2d1bbfe8db1a081bf5c6531e7e |
| SHA1 | b159e27a7b95d1281d25b5a3a37f1b0851c12cc9 |
| SHA256 | e41b7ebfc0c0d05d8b06f1506e81c65e4485bc1399c9495b690747f878ef05fa |
| SHA512 | b8b5906f6834edf543fb20d812ea3fb81d4d66b1174f53b1cba4a6e7eb3216e602240ce358a9a8692a869d3b055ca33afbfb0a2a9715dfe470ab05ba421fb5cd |
C:\Intelproc7B\xdobloc.exe
| MD5 | a90cf04bd623e1f090a3fda0fb46559e |
| SHA1 | 730906136e88664392fa59c47bee6d806d3ca0ed |
| SHA256 | 1ec32adba6d8eba4cf70f084906b09b89d9d8d58f4be6a76d3039a6f1aeb86cd |
| SHA512 | 780ea97bae8d8126a411607ba1e6b31736085054d57d81ce3e769aec1a08b7824cccfbb841a1396435e6469f0ecfcdd3fe30eb600ed521723acddc511ef230e4 |
C:\VidZ1\bodasys.exe
| MD5 | b30af74c34a007928f25b3c482d6aeba |
| SHA1 | 111abb46b79b44819e95067b1b91c24e37f73cb4 |
| SHA256 | 1071a2c72c386796b985c82ce94e08aca150bdd2b9c75c6e6b13e0d9494003ea |
| SHA512 | 4665dd8cede04b8f67c2e8dcb48ec38fe8c556c5692ffb92ebcbc656f7b1880947d4bd439a0c5906b3c93f0d0c18b3b39c79470d1f510dd5c5fa41152e445041 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ce0c3fc9c6b69fd4d73ac90483f22ec7 |
| SHA1 | 9b88c511ae2ea6f3b257bb16bb113fc1eec0acbe |
| SHA256 | 95a1caac94e03c2a51c1bf735bd236b8064fe8e6b21a046b3d462e5f10a8259c |
| SHA512 | 485dcd98814b21d8f14766fdd3a26f70dce08762e8f74142a27a0d38412e6548d932569ce2e8bac61ff80e4d75ce039d8ae3ea47bea9270da7e105260bf337a5 |
C:\VidZ1\bodasys.exe
| MD5 | 34376e69347c6900de00bf893fc58be2 |
| SHA1 | a01870392aaa97ce6761ed25d9d72c10e6eaad24 |
| SHA256 | 4db20a9808ee9d4418b98f7beec03441be4628cdf58bfb11a531669c73878153 |
| SHA512 | 7e78bdb215aa58eb8b991120260b516ee9bdf037459aab84236cc43e0f8f15cf9a33a20b1ce7a5f02e019b5a47f27aa0532949e55282213fc7d35b46d2faca73 |