5622b1d0e794a356a32954c86d97b9b6932a9fae403f65b3d211440fde0125cc

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe
Size

29KB
MD5

4b569a8a43c1e4a80b64f4ee327e8d20
SHA1

a4bca5f80cda5ff4c3bfebf565e91bce8a9ba796
SHA256

5622b1d0e794a356a32954c86d97b9b6932a9fae403f65b3d211440fde0125cc
SHA512

7952c243a651ab8a040a0511d11d31e4e611e0ef22805fee99de091b26889b6de1d75cec9767e73008c2994aaf4e5e634c9ebb3229939583229741c0a46be45c
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/d:AEwVs+0jNDY1qi/qV

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4996 services.exe

pid	process
4996	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3420-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/4996-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3420-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4996-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4996-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3420-25-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3420-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp271D.tmp	upx
behavioral2/memory/3420-158-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3420-250-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-251-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4996-256-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3420-260-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-261-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3420-322-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-323-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3420-363-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-364-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3420-368-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-369-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4996-371-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3420-375-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4996-376-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\java.exe	4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe
File created	C:\Windows\java.exe	4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe
File created	C:\Windows\services.exe	4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe

description	pid	process	target process
PID 3420 wrote to memory of 4996	3420	4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe	services.exe
PID 3420 wrote to memory of 4996	3420	4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe	services.exe
PID 3420 wrote to memory of 4996	3420	4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b569a8a43c1e4a80b64f4ee327e8d20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\search[4].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\search[5].htm

Filesize
156KB

MD5
b37c8345cf75d05b1133a1ecad910e44

SHA1
fe37c12844030dfa4fd82e405ab767914f428034

SHA256
3afaca058b794891b118745c1b3035ee1d0fa4afbe2263fd89be04a31803402d

SHA512
2a0d9a7c6105c5f771ad6d9354f78311ea24015175865aa86fa1e4998dabbf4a4d5396712f95780c5922f181f4c33d2a9d70854d9e03eb7a7317dc4219c073c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\V3E7Z64C.htm

Filesize
176KB

MD5
e6aacb1ef3cdf153b8624aeef2eac689

SHA1
c0f402e0bcb794a7afdb8d41877b3c293f5b4353

SHA256
c2f685836eec2cd2909472cf436007ebc74921acaf7e82f2f0adf900c672a5f0

SHA512
3b6dd9dec36aa5eeaabe1818be4641c7a6268fb8c1535f3e662311b7366ff6a9940301a6184c197d18e6d0a54e9eca7b85f5890572d8ea44a004b77cce2e7a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\results[5].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\search[1].htm

Filesize
104KB

MD5
127f4c855876f2423955b488cd8ae2f5

SHA1
bb5b0c0cf7b7bfbb9e381abee0481caf6d2cfb33

SHA256
bb2dd8eeb793c0570261c39395ff8e1d28e386634ce31222298510d96f7e0ccf

SHA512
e830a306fa333c081e78d399ae2f63419357e8d900ce495ed8eef4cc312689658cd1f1248da8ccaeb8a9262c4fd6f86cbf27097a54cf99e4fd0b68e6ab8a05fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\search[5].htm

Filesize
114KB

MD5
b2c11f81db1fb7b5ab34bdba5752edf4

SHA1
607f805b8ec5bc28ebdc7bcaca515b8516a67005

SHA256
9e7258c915c8d980c15eb11a36de6a6a6c371391531eefcfc20de94cf1eb0d20

SHA512
f803830a0ff1613c34355a8deeff2b302a18326594dfc52b563968bd0de55cec9914a828336707b24ed488cb9533cb2ec462000e01c189c6c2aa6e0c2a500b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp271D.tmp

Filesize
29KB

MD5
90e9e022e39f47b0558e252b9b4c96cb

SHA1
d2cf7ab53094f03fbced51e2491c9348b6e8f3e7

SHA256
b009aa0c83145fd1ff21d261a90c4f04462c2409e866cb20b161e39ca9cf27f5

SHA512
348f5b9ce7cdead04d57c681d756bb59511ecc88fa0551697828823a8f3d38ed12e0481f585826d785e4376e5f4a02bc34e7d7b16e14732d1e36a96d22398522

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
c3ee70e866f642cf840410b517400555

SHA1
24c705260c607ec067c512c3b6b896e81065f21d

SHA256
97daaa82cd85c6f6c3349fb0f25fc069cc8a64a252be8c3f3d67944c38688f67

SHA512
63dfbbbfedab11eb1cc03ab31da0d9c141478b77a2bf532f911105ed1c2046fc9c1ffc8d58de32015a9b0d9a3dec6945afa836d9a67a2535738159bb4db4b0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
f90529ebc2c2f456efc6eb57414a75c6

SHA1
357d682e7572b02d6b91568c6673c734974a56ea

SHA256
06714ae2e833c430f0ccf6a1af8b5ad271fe03f2806b1ba6df232570a2724272

SHA512
709fa107c5b7e020529282157324d49b84e05bccb1d85ce1373c779ad4c63b7fe4dd082fa32b0065388bd4b305ff3142f88429ec4affc671da3a11982448d39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3420-322-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-260-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-375-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-158-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-368-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-25-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-363-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-250-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3420-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4996-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-261-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-251-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-323-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-256-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-364-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-369-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-371-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4996-376-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download