Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 23:16
Behavioral task
behavioral1
Sample
267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe
-
Size
56KB
-
MD5
267ac0484e05ad73f53a5b9823a6dea0
-
SHA1
70d298ee70a9a0f1132fa9723eb356de5b42a6c9
-
SHA256
a623074435a3880c7b48fd0af08a87a0557f0c4478846ebb2d3f0d0ff574e672
-
SHA512
e7f5abd86e815e7c320555da19d859ca9803c75161fcd399f7b305d208f5aff736582397b495fe414e5ce3753640c6f37aba63a54b96b143153e656aafb1465f
-
SSDEEP
768:aq9m/ZsybSg2ts4L3RLc/qjhsKmMJ0UtH/hY+JFfJcqfTH0KoP:aqk/Zdic/qjh8MJDH++vCVKe
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 3040 services.exe -
Processes:
resource yara_rule behavioral2/memory/4996-1-0x0000000000500000-0x0000000000511000-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/3040-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-13-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4996-18-0x0000000000500000-0x0000000000511000-memory.dmp upx behavioral2/memory/3040-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-23-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-27-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-36-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp98A4.tmp upx behavioral2/memory/3040-106-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-239-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-274-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-278-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-279-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-378-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exedescription ioc process File created C:\Windows\services.exe 267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe 267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe File created C:\Windows\java.exe 267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exedescription pid process target process PID 4996 wrote to memory of 3040 4996 267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe services.exe PID 4996 wrote to memory of 3040 4996 267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe services.exe PID 4996 wrote to memory of 3040 4996 267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\267ac0484e05ad73f53a5b9823a6dea0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
127KB
MD5008c10d2a43a776b83659f351cf5fac8
SHA12a169d089bbc5bb10bec4d4039e57aa49f471b52
SHA2562e3a5b0d2887d4fa7213379b394422cba5a8ae8d0c378dc328b8f32de57f65b0
SHA51230e5a1239bcdf2a6b8a4970fe46cb434d5cf2973ace7b5ceda35bdaf9c3edd3f52ae783e89faad1caaa082c07a816193b3e0411df9573b864df656469d1c7798
-
Filesize
114KB
MD57e316102fc169bb83e7e1e98394e5506
SHA157bd2aae7a1ea7127d0a633d9172c529d298546b
SHA256317985f4a6fb624eb2c7896eb652ed459f14e3679ff4146ef0b21a814a658678
SHA5129e439d035ad3f9d795b82e4ae5f863d1c1b91f21e367a11aaf2d1f95e1f20e2facd0805881e72716a7e7942c3f91a5e62ebd4366ae2318643c15872b6b42dc48
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
1KB
MD535a826c9d92a048812533924ecc2d036
SHA1cc2d0c7849ea5f36532958d31a823e95de787d93
SHA2560731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd
-
Filesize
133KB
MD5d40c4d1fae6c1c5723d2543bac147a76
SHA1444472443afdbbfd47ade8d5968cd7f4bb9245c4
SHA25625e0fbdd66ec8ffded8ed7ec3285c8c6ab7981be55f43929c08e9602c6796b82
SHA5126706d9d5edb2ee837e927796389efb1b6e209535b3c72637c3b4787d3ec6667e8ba74f1e5baa7cb5f91beeb0302e6eaf846c7a641cab1da7d24217eccce65670
-
Filesize
117KB
MD563bc5fc6f064c662476ee7591ebea395
SHA130e60953d0d5bcff61e7e7cccc0cb9709028a52a
SHA25605ee7668ffe09c8b4b52e66f7d0cc7a30e6f12c24bf582b4e8e6ff664dc12ae1
SHA5120544a34e1cdf176426c87cc589a4f9be4dbc4bb3e82b2e69f5ccfb2710c6edb5125174422ee88a4de6ce595939e96d2f2d959ee7649ec0ced0bc02fb4851790a
-
Filesize
175KB
MD5e97c2a221d7101ed9442e03a78060d23
SHA1ca26a72caa774b2e71ad956bc7f6558d2160a365
SHA256a1941b9e1953286af3b68be94c337250cac8958eb5c19d09062add9ccf53e190
SHA512a497ac39d6ed1634e7a4cf70da16a46a061b7668eec784e2a0b0f851ad585b1392c410f98e35533aa756f8794547aa98a19484c4331d307c52265c56146fdd70
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
117KB
MD5f911fa3f699e9ce3a70d19828448a348
SHA17156208114e839d3f13a6fb41e7eca14bcb53243
SHA2562176b7590997c9cd600f707355da0a6c27b2240d5278d42d75b236778c9e4492
SHA5125543f0e5024a545eab117262a910fd58aaa972d4c8f4efb7aa6a7c72a8058c9067be1bdf9ab3c022874542d6afd7ffa793e97e05544cd9cb7481413c288a7e0c
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
175KB
MD596389d50931e687e4925cec3ba658b3d
SHA11f4aba7431a7bd2fa8b2da1485a9c2b58f34d3a6
SHA256e93df9694aa55fd6b0efbfb9bc44aa6526659bf9fe78d3683d5492b47a0b3ff8
SHA51220f5a806b1ef55929f1e9133d70679975b57eb7d2e45e440e94d6c6d4d333bc1c5d77d5902e0be565f25b3fb0d5b6c99b8c54268bdc33f495241711064910140
-
Filesize
312B
MD55431b34b55fc2e8dfe8e2e977e26e6b5
SHA187cf8feeb854e523871271b6f5634576de3e7c40
SHA2563d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432
SHA5126f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c
-
Filesize
56KB
MD5744f119f9f3a49539f784e19b9b9d2db
SHA18e993b7178131e553938ca6edd49f00fb200e3c4
SHA256ee44e92744f66d27f304229a6ba6ece80ad252ab8583d7ca07f46d3f6ea6c67a
SHA512c7b8af3f19e6818bbd18e05e506a97fbbaf1167f65a1c4a3e34470febe347dbdc0d16b499f29cd2cb8154ccf45dba68c64ae52cb6eae17fd872f9ab3ef19bcef
-
Filesize
1KB
MD5f931d3984b556699f4ab6b421f36e687
SHA1cb90ead48ba61ea185249f48f39c7d7e9d93e32a
SHA25657e22e3691605706a0eba2c84f6ec62426920774d4cd7987d25503c5d44af281
SHA5123dd52aebe5c5ac19579a3246ebb89fc0bc3def4d7b88edada2e183a21807fe238cb1c0748164d5d8f020b7803ef7ebc85d76993cc72fb1566cd834469d99747d
-
Filesize
1KB
MD595296fce72ef6a2e56f4891c8d70e79c
SHA1d9bbfbf29910a2e34bff21dcf0ea5a16f83e2fd7
SHA256eae20cabc891cec811cc743f30cf068f968ca6b74c8f0013576c451ea1148328
SHA5129fdf2ebefadd11f647c299c3b7ffd6819826c6092bb04c23a0b4d5db4bb8f2f16b003aa6a2e968284a6fc10b0448a8c235e38616dd4566c2a25eb787f7144a21
-
Filesize
1KB
MD5279204582c1d7b5c69a2528e5f8b11dd
SHA129fecb3069cdeffd440dd9105ca4c384a3708895
SHA25620a4d4af04a5e6f3b9d25f0182a8b5da6307818f41b84d9925c490a36d9872ac
SHA512b95c7dcccbfe9ea9aa2034e723e908f87652a1dc2f67ca128e674c95c24dec1975a51ccbb81a951f54dcd6804e42d4ec7493b9d740219895503899b2fbaa78a1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2