Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 22:38
Behavioral task
behavioral1
Sample
221ebac6c213161c7835432767339f20_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
221ebac6c213161c7835432767339f20_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
221ebac6c213161c7835432767339f20_NeikiAnalytics.exe
-
Size
29KB
-
MD5
221ebac6c213161c7835432767339f20
-
SHA1
9ef2ab2f9fa7b89ae6ddd71a893cd2ee712390a5
-
SHA256
595348ff9e70c8ac790412a229fd71c91d905f97e80ec86ebb5357949446c4d8
-
SHA512
1c1b363560f29874a5a7b3b04bbb69db31550f727966350e8d71e7c299327460688460c0254ba787b9375d7e115b34bfc0664687b99d1d593a93fa20cb5396ac
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/O:AEwVs+0jNDY1qi/q2
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 4768 services.exe -
Processes:
resource yara_rule behavioral2/memory/2864-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/4768-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4768-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4768-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-25-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-26-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp1AB9.tmp upx behavioral2/memory/2864-81-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-82-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-181-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-182-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-183-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-184-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4768-189-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-193-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-194-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-245-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-246-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-249-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-250-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-334-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-369-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-501-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-502-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2864-648-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4768-649-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
221ebac6c213161c7835432767339f20_NeikiAnalytics.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 221ebac6c213161c7835432767339f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
221ebac6c213161c7835432767339f20_NeikiAnalytics.exedescription ioc process File created C:\Windows\services.exe 221ebac6c213161c7835432767339f20_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe 221ebac6c213161c7835432767339f20_NeikiAnalytics.exe File created C:\Windows\java.exe 221ebac6c213161c7835432767339f20_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
221ebac6c213161c7835432767339f20_NeikiAnalytics.exedescription pid process target process PID 2864 wrote to memory of 4768 2864 221ebac6c213161c7835432767339f20_NeikiAnalytics.exe services.exe PID 2864 wrote to memory of 4768 2864 221ebac6c213161c7835432767339f20_NeikiAnalytics.exe services.exe PID 2864 wrote to memory of 4768 2864 221ebac6c213161c7835432767339f20_NeikiAnalytics.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\221ebac6c213161c7835432767339f20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\221ebac6c213161c7835432767339f20_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
114KB
MD5963645ea87aad30392c097b78335471c
SHA1a0ca776c06a7447546eb6ae6d4bb39861d770b8e
SHA256fa63da0006abbacb4ebfe584d6d05ee9656ce52919c46edec23745327371059a
SHA512e35d0b491b2a6c5b3821d334875c02e05fba88f4e3113671f5c1641b2cabfef5531948c9b2616894e3f7e459b5bdd2e7d9dc01514209fa554838fb9171368ea0
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
312B
MD5e5c2364375c0a8a786a9508a840b6299
SHA1bec1874db0d2348274b6656d1383e262f73e2bc6
SHA25651b67ae1066eb179562cf80a8a156bbd4b139b83072f610bf62c0b6d58ed17f3
SHA512ee19a8fa40bc7e991ac289eb30ceec8264d6071f124e99791022961c99f25b97def4f13fa96149eb52786d1104d85d20410e65a333304c0df6ba858472a557d3
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
141KB
MD5564fcbd5dec43107aee8eb1c7ca562a2
SHA16d55a030f66d6b345580a78de1bf2ab7388a117f
SHA256dd7f605d91aae0df38964bc9fbdd93d07abafe1b903b5bb02c66df8ba8793ce5
SHA5126974b2be551ed3e1a8c8bafabae7be80a0aff2c71ad6874c48da77f6f79c413498e792ba6a6d3d374f5b273f6d9b60c56f42419c4748f4cef5e7e755a66f31b0
-
Filesize
124KB
MD5194202545d8c0bbff84806aeb001714c
SHA18969ac6c87e239eda872fc8f835c6d8c28652045
SHA25653bb754d2fb2e23885fafd73d21a2f501d9c29930b7c54a1b6411f94d977303c
SHA512950bb9b13e1ed14d88277b9b3bd635e2b684c27da8cf9f24395e8fc81eb2d8b1c153c6cc1c70493110a6654c3c765e0a0d96a61de02bd3708ccd3d4f1acf6b99
-
Filesize
174KB
MD5a94b97d73eb97be483c07edc96d76ed9
SHA1bf95e0eb58adb5271904e0efccdd54ad21dce573
SHA256f2d63cec8b3ae600e3c5dadf8562ca0dcd175dc1c470699ee27402d018af44ae
SHA512d351858d5a6fa09362ac842c37dad9efdcbf18bbd3f4a6002a313ee12145d408803938cd07aa9ff877841293300b92d64af1e8a90d8e47bf91aa7a2364b94e50
-
Filesize
175KB
MD55fe01db3af375e85163921bcd438d8de
SHA179d1c47b38fc897c0d13fd4293e5a9e251ef985c
SHA25686fdce01e7317be418aa9774124461674af0975592fa76ef198fa693c18a6997
SHA512a2541fc4355fa383ec3d4da7e6447421a2d25a64dfab151889482d2816c8ae61af9c191a119d583d5a00dc4e1f8036cdbc415112cc426c24cebbc34373b6d056
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
135KB
MD5a3fb273eb70d5004c9a6e580873112ed
SHA1079ac9000356708bc7fa5eb56c13010e7193c36a
SHA256c8872b4f54743004b8a8a9b48951245ebf746a5eced8b02503b7c3478db46565
SHA51212fe66f49903579477199221aeb1e1ccf423ece6732700dd8dcafb4c15fdd48af1fa9aaf916f2c46c1ba76fa29d761a675161cbba4df0eaad14c6a60b1a37234
-
Filesize
167KB
MD5e7c53534d813fe9390cf1ffcfde1776d
SHA1aa390269c73b2707c0fd49d1f840041ab80b403c
SHA256661667d69bf8b1978561a1358af85f5f814ba242594c9f49aa3446eb503219cd
SHA5129e96da9ae5446019437e71f5a9e3f41dd636767ccebb18c76fe891f438fe3ebd0562c00648cd5bf347024fb85fb2a06d48d826d95d7ad75d26114c37b481a4e9
-
Filesize
153KB
MD5896e9cd9c6203f8ea076b22fecfa9773
SHA1f24a78da8055e814f08f4e1307d996603e8238e1
SHA256e518b34a2aa93589f43b16339a73711c15cb09841ef6dffa069a3f529104b537
SHA512ff782f43ca23854ef883fce40070f792215fded9d29b07a93dbd74b60bf6b8899e88870e01700ce8bb343422181698ee95b92dc1ed7ff078dd52c4be48ae0aa8
-
Filesize
151KB
MD58732993a37b4b5534cf81eb2f53dbaba
SHA1dbd664aa1f8d16363a6d4e25773d1a9d62d42e26
SHA2568c1235c32a0e8ac72ed56f7ad349a86a46b7c94954660afca9b1dcfb9290cc46
SHA512ff7615ddcf5e7363071f57a5c125dc458fbe575645b382ab8bd7abced1ef029cf3a3865eba3871c421e96759f906da511e33d12a3250666e931d440ebc34e910
-
Filesize
112KB
MD57d7c5e9cc3334d18fe849038b0e87974
SHA11e38bb92d64e912c571f27e18f3816aedcbe9d35
SHA2565869e5864d9244368ac3413ac6cca59d58d82097b4dd1401ac7d4bcea1f52d08
SHA512c5a2a3b97b58bd29cbc296dc627e77d79964d2eb3c0055a43f5c51c816e7b1d79f4d8909dd9cd0ed6a6b43e1ba73b922d0062028f4e7d74a39cc7881466059fa
-
Filesize
29KB
MD5b06e6eef1d26b65ffb1cdc70e7245beb
SHA1be4a6e3ca80ec0c3dc00c2fe5957dbb924508b8b
SHA256a6d90eded967ec3590b20e1c6e5b710cb04b143c30566478cab4a3a333ab3177
SHA512c7bd11e5022973d69fb92df72ff7e0829df19cf1aef4a25f56dfdcf2c9882ab5e68c1459713d48db4a6f6f4ae5909b8f626c50b29d083534693d2f432860d9a7
-
Filesize
320B
MD56c099dd3fe44e4ab2ac16be876626f01
SHA17894cdb6300136c511e8c3d5055d5e484dd447c7
SHA25652a892b02dfe4cc710d76ffc7d9e7f72086b6519cd86f7217634b96e2313c97e
SHA512953efc18c011ffd0b76efcd626b2888381a265a743c56b29aff05c7dc2db4d2721ca542d4f28eb69176d9a888317323c424614b07814fcd087c1e25c4c15fd29
-
Filesize
320B
MD5ed02366e28a5c585e12ef705cd2b9984
SHA1847bbbda4485028b1ada4b460f78d3a4093e5f78
SHA25624ef5e9d0ab8751ae66977863b7140ce3ea775b5739d4064eb82790571ed17c2
SHA512c72a1a13fd329f26b99a8bb57584317294bafcd7a3f787de444578861bfed25524b73126862d77f0d3ef9a991cb0a8f028151bbe811bd2c3cb4851b182e384f4
-
Filesize
320B
MD524cac1823b268c706f11b8132da2992e
SHA10f8dfae6f442a40417b99230c30a5769e23aba3e
SHA2561f4e3e8e3dce15cade69629b7eedff46efbed5fe853498aeadc10220ccead9b8
SHA512f0885d592618ab438a932f8ae8679f63633f95ba56bca8d21b6ac44315bc91657ad202c1e15ff2bf75fe39f237cf99a95772456076116f26f6a73385d0ac9c01
-
Filesize
320B
MD56969d00683ba4b4a21b52e431ecfc169
SHA1a4a232d2432cb11d7f8d2f57192207ae071e34e6
SHA256c21e030ec2328e6d2bec5815fea035121e174d157f5138a3ccce88b361ffaa6b
SHA5122f940495276c7fa31c5429e556389595efed79e862cccbe6be8fd742ef6cba55088e6a90d8b0a971dbb14d1eb82a9a51b049f75c8fffc57d6bf5e68badde72f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2