937181e8bb7cc22385c16af1566fade073177c7a3bbaebff4b58eed62820d037

General

Target

62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe
Size

29KB
MD5

62a9cdcdafa23b131f1d70229f934640
SHA1

d8f23cf9cb646ef56fa13cb0cdd0ec6fac40a600
SHA256

937181e8bb7cc22385c16af1566fade073177c7a3bbaebff4b58eed62820d037
SHA512

fc4d6efbdfa99406a3fe0a8f78dd5c94c146a6e6e078aed8e32a120804d68308f72b891b8e1986784725d06c502f21ba9486b3bb1f92e08efe5658fe9df2d7a9
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/o:AEwVs+0jNDY1qi/qw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
816	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1392-1-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000800000002343a-4.dat	upx
behavioral2/memory/816-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1392-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/816-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/816-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/816-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/816-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/816-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/816-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/816-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/816-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1392-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/816-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1392-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/816-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000d0000000233b3-55.dat	upx
behavioral2/memory/1392-154-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/816-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1392-175-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/816-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/816-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1392-182-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/816-183-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe
File created	C:\Windows\java.exe	62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 816	1392	62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe	82
PID 1392 wrote to memory of 816	1392	62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe	82
PID 1392 wrote to memory of 816	1392	62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\62a9cdcdafa23b131f1d70229f934640_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC13.tmp

Filesize
29KB

MD5
64eaf0d05f64e9838a10bacd04b3617c

SHA1
a6b0c46e78898e998b65d12be9ddf8133ffe16fa

SHA256
2f142ce2515203063fbdd1e1d7d334296365752c4981cefa48c3e9bcc67b3f2e

SHA512
4a2c824f1d95a4fbf6c894217522e1243ac0a9dca83bd241e2ee2d11aaf022fb671706fdeb27b1e74317e5b01bcbfa14794760a8b185caf643fde84df4bd414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
7707bfc60106962d63bcf7c7bafe6fb1

SHA1
6c418623b04b6b89b3c7497e5fd8e0069bcc26d4

SHA256
ce89ae929aeea738e2189b7da9bd33ec06d1bf3015294e4ad10135fcc5bd2e52

SHA512
213cc9b24c7a81607ea03a592b66d3c6862548109bfcdd500d2d6301a6dd25505c993850e3cf2e886f38198202f744908a66c14ef2f758304d227ed25aff55bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
aabd3cf5556ffb0316c8cd1b88e67507

SHA1
f069c4d7992eb8cfedadb763c1e61064bfbbe95e

SHA256
f5241356fb91bfe31c704b502fe358b96fa4abff62dc82c299e66e53eb0d26f2

SHA512
d2b425189a0896739e59c83468f90638f1491d4f2d0aae5ca1cfa3c376420998d04d304050a9933058bc78d1f6e96058884b5b28293127886549fcbc6039c0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
631a233ee75b770edd44257e37a3ab6b

SHA1
85940301169d4a6aafbebc04d5f3cad70747a591

SHA256
ccfb17ef30401320ea7f70a077f5f96125d19e88ba71a9f37d08fbc3e930bfd2

SHA512
f05798a56ed7ad016637e1cbd636b2651cced754744d5b2061e07c33032dc99fdc91435a14522f66b838a8f753eacc6992ba0681e751485c40616920514b8c73

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/816-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-183-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1392-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1392-175-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1392-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1392-154-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1392-182-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1392-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1392-1-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads