Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 12:34
Behavioral task
behavioral1
Sample
c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe
-
Size
29KB
-
MD5
c05bc468e44951935a58c1323d48a070
-
SHA1
0b92f38bc6141065041406f90ecd23f6e960abad
-
SHA256
f7c4aeaa815f44454061199f2d8318724e333d1f4a7047fb1caf919ceaa6aee0
-
SHA512
b473269981f11f0f1fccee89938f931d069bb42c0618ed7f7e25e14b04b2d37a30f351b2c6decf81442b67259209498304d99a414c852d4d5f1b8ab395a389a1
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/3+:AEwVs+0jNDY1qi/qP+
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 1652 services.exe -
Processes:
resource yara_rule behavioral2/memory/4168-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/1652-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4168-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1652-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1652-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4168-25-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-26-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmpD59.tmp upx behavioral2/memory/4168-76-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-77-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4168-207-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-208-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4168-236-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-237-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1652-241-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4168-245-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-246-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4168-369-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-370-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4168-518-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-519-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1652-650-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4168-649-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4168-799-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-800-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4168-926-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1652-927-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exedescription ioc process File created C:\Windows\java.exe c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe File created C:\Windows\services.exe c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exedescription pid process target process PID 4168 wrote to memory of 1652 4168 c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe services.exe PID 4168 wrote to memory of 1652 4168 c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe services.exe PID 4168 wrote to memory of 1652 4168 c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c05bc468e44951935a58c1323d48a070_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5cfaf7dfd4e85d6ae7e5f0474095ddc65
SHA1281f974ec88490011170fbda102d6c53da8674af
SHA25636cee9d7b59924cb62753550866278e55153c457b935a6c6881641ed8368dac6
SHA5128a6665db1b7fe91ca197cab695fad15c97fc7e3180a6e87cd28e3dd9d9ab08056cafa23d837b5dc782a77f987914b7e2e779adb5dd951789d89fc0936754e8e4
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
311B
MD5cb42662caffe525e9957c942617edf06
SHA1615009db9a1a242579e639ee0fc7a2a765095bfe
SHA256312bf5c9a1a122abc6361bf8ed01a44346285b962c0d273ef2de0eb796ae1b15
SHA5123e6777f1f74f64fff6cb2bd1a81a6c08d9a64feeebc3deb7cacb8f0f41b23a5c59a8e6294b99c76dd386aaaf9043a1a252ac47910fe1801bdc2995f7b675692c
-
Filesize
130KB
MD5160a33ae28c67aec3d24ff6ad6ab71ed
SHA10d1e2a7533301afc354c9b75b7d7e541460efef3
SHA2568a8b643a2f5df8a0e2d367c6ca33872b264afa6f5f470daed15eeba23b22c602
SHA512423c0db1ccf5f0c3056ba4127f4ed89196a483fcb2f32b6aeb330635e135529785956348f202dc83d5c6ea704c9ce52aa30aec4e917a4c6f1b6cc47bcb199f56
-
Filesize
141KB
MD5656adf03521bb1f2cb466a7180da051d
SHA18f84cbc1577f2d927ae388a7bc91a94ba3b95b3f
SHA256ae876187a0d69d123e5c07f6f5eead1af6940309085af1807ef9d6ec3ac906a7
SHA5128e4185eeca934dd66b3e1dd998b64fe727c6ed09369c67f98dba25f5997e2a792b315eb119541ad684c020aa7673d47fc4eb63457d73bb1dac4dd1d2049b4942
-
Filesize
313B
MD5ffb72ab4faba49ad441ce07db37dd8b6
SHA1194e13c1c32ebb6e7a1dc912261cbd58a82ff71e
SHA2567bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660
SHA512517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257
-
Filesize
152KB
MD51972d429e6bd7eb21d3603c41a83f336
SHA136027108d4513a8526344192e5f81efc00e23317
SHA256245384c2385755d47f154c89d384c68a4642631c060317037b43c5befbad7f77
SHA512e583eb5c568044d8b6d7a70222cfedd31b2e3712c68f0365ffe20e4a32b3b6ff9de60ef3d94d2c130e7a16f46a0b582ac6c7bc6649eec6e3a47455af9bc74acf
-
Filesize
115KB
MD568333d5161d197f5e39ae3663423d9e1
SHA19dd218433dcf9a006acbe8938fc742a896e23edf
SHA256f2b9d3dc8216011f5faec12bee32257eee30009b3eec84f979b9ac7e8ca284f3
SHA512e7b0f2f849bd8d9e6d081aef5bb701e70467db4758a0d62e5818de04d2d1b3fa508cf582ebc02e57a1c9d99cf285ac989671ddd5ee69afbeb42aa05fd2db04f0
-
Filesize
134KB
MD5311a427e4103de22067483d345cdeec8
SHA1cda55444c8272ee5ec940cad1855fdbf79b477a9
SHA256ae6d33ffb4f27cbae16721778c034d4d3df75e0cd319fe55bc078ce7f4c7d7ef
SHA51260e261448fde57a004c86a8f65f79744e9e2cd4bc7aa1046f5b4536007c86e6177386661f87f0ed9bd387d7042db36230a5fc6ad129712c2dbeadd724d33377c
-
Filesize
101KB
MD5a51873bd1f3520e4ac67fa514f73e1e5
SHA183eac35f9d1e2d5d904f19abd977abf4049720a5
SHA256d77fabe841f10b0509268cb30b952a0ba9f47fc933b7684013c2e13b2521f378
SHA5129031a35c596335c55ec1638b89026c3393d128a45dedf2d9017f74554a813ee2ed257ae6f514f564e25ba56c7bc2657899509e68af8039b2fe320a74e5075b5e
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
1KB
MD535a826c9d92a048812533924ecc2d036
SHA1cc2d0c7849ea5f36532958d31a823e95de787d93
SHA2560731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd
-
Filesize
138KB
MD51a860d33e17a5bfca6ba05028812db93
SHA142a24bd039045c4ce47ca6dfea332b6eaaafa011
SHA256f8ae3d430349b7a351c2addc1c3a61ae80e845a288115bfa02beeab6474361a0
SHA512c62ec1f9d18d4b99630db7f77af5f04d19df650910db7d85fafebc8de89ac28d1984ff521228a2a09b48534316a2e63f9722b24891a2884ce30a80b3662ef336
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
131KB
MD59453a87baa8530333385364143b4a719
SHA1cab97699a76ced21a8c5582a5e8a1ddddac86ad8
SHA256ffe25cc11ab431d777381efb848882a28364ddcae2b5d87f6fe82cd689dee1a8
SHA512baba2da03766144ead8a0e6372230432ce77ab4751d238de65506bd42352a81ab2be0d9867d19b6aead54ab03f1f3aed883e899f8dc317b65fcc5e1c5f85b484
-
Filesize
120KB
MD5d8a339a365575cd8d911eb9d6f32cc43
SHA18b8ad6f0735e460262142f8bad4a617ffaca4aac
SHA256d01401e402be43c5e3c29211390ba602490bfac12b4253a21717eb287876e7c7
SHA512c422ecadef7305fd48b152f04ba2fb98dc2c517608f5dcf630a4db55885e3bb21dc71a29465d52376eb3ba401c4fd14f6f50b54e60053494b0214471fcd7b1cc
-
Filesize
313B
MD569c60ed308101b5335bf8f3965de4cee
SHA146fa4e015d3074e5278f30246dfc7e52395ee164
SHA2561b949aeab999aed6ebea087159db61393d411edcbbf228b98f4b5c3d8711ad29
SHA5124b3b388f53a35a0f1eb44706723d2814f010095a8629d692e8d6542ac4520e1f7caaa7a6bd79a7a00ed97bbd246fc8d74f51853432e386685d6771203a7d8ad9
-
Filesize
305B
MD5157431349a057954f4227efc1383ecad
SHA169ccc939e6b36aa1fabb96ad999540a5ab118c48
SHA2568553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac
SHA5126405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
129KB
MD5af7315f47d6ebef16ea715164687bd4a
SHA167276049ad8190e04d372159cc7922bf8e3f1946
SHA256268a05ac647a62453bf01f89de1ba6deed5413bcf81d18985915ee5b60755445
SHA512ea29e46dab1f0a711c8ca286eb990cecc36d4b6d3be1b614c109c3f896528406ec033343662348ac04f68b8f3258cf7160fd885b162c2fd98a0fd368a1179e52
-
Filesize
141KB
MD5918bc8291a858d4e9fc9a87ddb3742dc
SHA1ce1aa1b6c3525a1043a9ef11b6e4e7fc7432b028
SHA256c958e776441e4af900de92000633f264d08f1ef3d7a36da0920c93e57bfd9bb6
SHA5126fdf17caf8d5b68df1843fbd3062c28fd2f659a7db8cbd5ba06d26810c50916bb0caf63ceadf508273a0b13584ff9cff8f5dcd5e57eb0cb724e9e1b8bc36a246
-
Filesize
141KB
MD5cedf92beb713036c25df8e4368af025f
SHA1140ee833df04c295df19028ba5deed9a0440fad9
SHA25636a3bd0b3c3a654cb2368c8391ebef65d3a7f08e2070397804d89833a9f56fc9
SHA512d1e1c418044d5fffef70603bdb05aba2d2cc38f19b06978f27029cf756adc990c84c986c20b343dc16d474f815578672b91c0fbc354dcb0c4efd362809b3d5f4
-
Filesize
167KB
MD5d5da4ae8fc4d3a755d57c2c813d52c80
SHA18e37bbb09e36f1440e509e005f68ea861c7b8697
SHA2569673a5d339d9eefd27db97ed9314c21e92e5c7bd378442c9eeb537497f9133a9
SHA512227321c9260d924fdb13f066ea3c189063524bb8b91b930e799dc31d978d4a4bd874f8f49abdafa4c66ff6d35d675bd733539b0a47703c6e42d349ca6ce80bd3
-
Filesize
134KB
MD57823aa3bc3e0fa9f6beefb58845119df
SHA1e3c762014a958b1a01418373d38e94e1a7c35d4c
SHA256003a3458ea1a70266e795636d6e983f647b9143f313295c901e430f7f83c1415
SHA51204c7f1b75214744513d29b597088cb8b15117aa78dd063a4737c53f60c593e08bc1d2ef9bb17e53eed0ba7d37b2d7a960baf1982770a7d390ae1d0641889f193
-
Filesize
118KB
MD5f96958a38d873c706cc2da1989406b36
SHA1e26f81436c80a0e75560404c3ca290b54f44e5fd
SHA2560c91d2a51a1b264a0dd57ffd163307d369eccab7ea7e29913263ea825bcd5bf0
SHA51201ce6c33ae7b02f05ffcf25c279c54764013b2d85444a8a468bfb510a05bd34394835b021c6060613417104138370eddaf2658affba440594843b9b8a70d05b4
-
Filesize
29KB
MD511fae0336fb71eea69d394c52aa615b6
SHA1a1164d10d5ef16737f8b064ce1d90cba6314930f
SHA2560d94391977439943e5144b143669756a90f781bcc8ba76869db7fcd362099f1a
SHA51237d12ae62145667338c3ebb63d949c2bd8f59efacd621d9a9962f3d866411ab7e6dbb492518dfef6b76833f463fb6f6ea6f3f4336f2e69985fc1e4cf06492545
-
Filesize
320B
MD55ee3a776a403f5ff38af11b474108cb2
SHA15cd2cd714b2c2a81fd28e6b9aea62de5b19c480d
SHA256cdadc8947d5c895297cf8f3a0e146e73bb97470438d00f38a2acc26776792b00
SHA5124169e68dc0669e3c701539bc212e32e6c673ced6b4e6ffe86c2fa02b9e6f277c6b51d81956f97b94476b20e6f715e6a70dd1bba928722ee85a121b6b1c878fac
-
Filesize
320B
MD5b1faf13a405b021a56ac6b7a4ff15323
SHA1e3c0faeb7c944f47e14e6211d01c74c221737584
SHA25665cfab04e67b7bb16a3d3faeae29bb2270d99d5f985f6912fabc7b903d0cab3a
SHA512b224cc713fde228edad82e94630fe4f6c57fbd1f40168008c4561c41547107f9049eef2733f3901679e4030546e995e3a694af05a7af96e3ec256a2faa1a2875
-
Filesize
320B
MD5c947e844f0172073207d18d3af3e8d90
SHA1a878a6e48a35c0b7db904cb0425f2b42ac056556
SHA2568ea54de038cc748ae155c2096985b28aa77347484c50616c7170fea279fb69bf
SHA51272fe0e54ca5520305e6ab97177b75bbf8178484a21c76101180164fffb98a50d3e653d72efd8f6d8a9e66f85b749eed4f2a1049b1540b96204735f8cc547ba4b
-
Filesize
320B
MD5509e05bd3369fbb79676bfab1da9a39a
SHA1a71a8aad5fc7a16e2231a24907ec381e6dbcdb3b
SHA25660ba5d05da66ecefe99b88a27943bb97c4df911803b40be8f8098630bc44ebe0
SHA5125ee47065f088cd419e183a1ca557c8e03466b953681958c935dd4521d505064cf67f91ada36a76deb7ee11cca98cb992ed1c4ae5197cd8148270419fef9921e9
-
Filesize
320B
MD56ff1b592cf96ed7ad05c9d3fdeac977d
SHA1bbcc4387e49507ea7bd5189753979ee475a0ca91
SHA256bf3bc29a2bd29ecf5647848310e1a8a72f1bc9ab0d0e6bdd7d9e4ea166bdb27c
SHA512e3f011d90a27238642ef12eed4e488b87ee3964bee433007b55c6b23257e7a5b895464dfa45552fe31ad7326df3b0bdfd638beb62a5e93a2c3f68bafc92ec443
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
320B
MD5ae45cc9a6f807d222c6c067998fa00ba
SHA1f2b519dff4cd58a24d6c9ccdbe8d5c0c34f0e98a
SHA256550bb76cec8ca32ad37dc26e5a45682c85c2c8f792393addfa3f966c7fd481b9
SHA512debfd136c8fe2b2b13e424561e15067e666a5aa804f515ab08b76f03ffb9ebcfbfde02c946d14605b499fbba22dbd5a43cfbdbedea943f30e607c9415a853a94
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2