Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 19:08
Behavioral task
behavioral1
Sample
0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe
-
Size
29KB
-
MD5
0f3674035c44ae13c771b6a97d800950
-
SHA1
5e1aebd769bfdd55a896b0deaa14ccdbb9690cb5
-
SHA256
cd0df7a520a86076261a8c1dd79576db6791eb9e1b0c8adca992dc52a70faee7
-
SHA512
73319f5533cc3aa6f984fb991c9765f2e57d47f4fcd2f5186bb2d77affab2427c4f071385a4b6266105136578192465a9f2166be44fc2d312683c646ae00aa4c
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Ik:AEwVs+0jNDY1qi/qAk
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 5092 services.exe -
Processes:
resource yara_rule behavioral2/memory/2948-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/5092-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2948-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2948-30-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-31-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp2BFD.tmp upx behavioral2/memory/2948-86-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-87-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2948-240-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-241-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2948-277-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-278-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5092-283-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2948-284-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-285-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2948-432-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-433-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2948-626-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-627-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2948-784-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-785-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2948-941-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/5092-942-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exedescription ioc process File created C:\Windows\services.exe 0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe 0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe File created C:\Windows\java.exe 0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exedescription pid process target process PID 2948 wrote to memory of 5092 2948 0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe services.exe PID 2948 wrote to memory of 5092 2948 0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe services.exe PID 2948 wrote to memory of 5092 2948 0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0f3674035c44ae13c771b6a97d800950_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
130KB
MD5d209061e51697cf3ebcbb6e70427c2cd
SHA1977d9e1df0e18372f104bdbcf6b06da6f5bdb787
SHA25645a5b494e78886b9201a2c134bb98e108ce554e51e8563d459fddcc17eef49bd
SHA51244e55ff51bb49045cb639ba5ebdf3e040c288fd9e485519749ef35ffa6c08cf86b59f6adb05158ee1f24161d92b44442bc9d8e94c93d57a9118f67d05ee6708a
-
Filesize
166KB
MD5befbb11df63f8951c0f7e2500bec482b
SHA1e86fbb0ed3bed9930efb9ba65233a7cdd44cea2f
SHA2568b8c8db359ab8b63d7facbecd88c8ef5b86b6135100852c0ba472cab7f935d30
SHA512a6b556f78e452515d1ac3408352a1308a5b688fdac1966d5125b76b20d89d0b5c9f044d051b5763bf5b7a13b11c0b3e59b9e3ce4c45a089a323c94eb38fbd6ec
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
311B
MD5cb42662caffe525e9957c942617edf06
SHA1615009db9a1a242579e639ee0fc7a2a765095bfe
SHA256312bf5c9a1a122abc6361bf8ed01a44346285b962c0d273ef2de0eb796ae1b15
SHA5123e6777f1f74f64fff6cb2bd1a81a6c08d9a64feeebc3deb7cacb8f0f41b23a5c59a8e6294b99c76dd386aaaf9043a1a252ac47910fe1801bdc2995f7b675692c
-
Filesize
1KB
MD535a826c9d92a048812533924ecc2d036
SHA1cc2d0c7849ea5f36532958d31a823e95de787d93
SHA2560731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd
-
Filesize
110KB
MD550eb6d551b6f6021908a7ee27da41681
SHA11c834daf5fc1424ce7076f1fc18f0b41a63265d3
SHA256eb5cb4b964490536d8d19445bb67b9d1f59712487c194704110849893e408a2c
SHA5122f4d924f4fd99f6e9f7382e4deb9a9792ef141ae322f47a59ebc9c8c4aba163eca649b9e43efa30b7b3b308e811fe85d0f9c8b34c41b671bf54583b87cb36f79
-
Filesize
133KB
MD516873ed0f4720d1d10ebfcb5bc54bcda
SHA19ac8f3f14af564b8bc79c225171d26b516e8e0ad
SHA25684e55d43b17b86944ae1f6dfee4e3af6a7546a1fdebaf31b2d66b413a7cd9a61
SHA5124ff710facfa2894f54d00fe4f10f79421e7cbfa3881834e832f64463f6bcb687cf538cd41606bc26a37a067b01e7dec36c5872fba5b96f715f056fa524b11a7e
-
Filesize
161KB
MD5919b5ede011d426257e8d35c9fb842a2
SHA1e8b7e0f1373540155a1431028346c7f6c1b8d3ec
SHA2569fc7d5bc7c7bd42d73954e98c1959b4cb4aa83b897bfbed03016e024b278b70a
SHA5123e2715fbfba532df9441727235805e50c195cf8328fa34fe8d41e42c311f17041ac0bfe0e7f5487a071668e388f469a654ec82d1965c33295d0a591b12f4e5c0
-
Filesize
149KB
MD566dddc9928bc1a01d1fcf7fbe66eda29
SHA18d9b6d5924c8080b7d2e969765db9f1f105a6758
SHA256e0a246ec37db6e1a964f18f6b81b1ae18061e14917893752d8b662632ddf0c34
SHA51297d3ddf4912c7716969b2a0ba963c2e68d184b21ea18cc6a10a03d6855bc6dc065c26e19cf8126cf33c2e91fdde861905d84709d6831e41ff8ce6278c3defd57
-
Filesize
175KB
MD594ddf7283fc1c58cd768d490f22baa96
SHA16abf1083c25c6a9453bf0b63d218d26d7eea7fec
SHA2566d17964e69fa064d8e78b4ceef648154520039c564f5d39c66148006f8c89dc8
SHA512b2bbd5491192d7857053d642b21bc2d0aba9be40308c470ae23f6a4f35b4e06f0872df4a11a7d366a255c71afd3a401bace6f3f726aeddd12b09678200d5a330
-
Filesize
97KB
MD5f446b202727df6a62f8b196bdc70ebbf
SHA11b6a12d57bdeb3cc6cfb4dc3fc9b3f40ba99feab
SHA25649609164ca59f0e3b15160af6280ea7befdb1874bb17be3b02ed64863823b0a3
SHA51249c272292f7da310633c44cb3da87cabd804137507691a80ce7ff83f5a3d12dde09a15366998116017d3043acef13a4f17d529fdc295e74f87e0988acba75b6c
-
Filesize
151KB
MD5526585e3bc355faa8191905f8e42a2d8
SHA135a0c6ccb583971e6e47fab1ea00bd04b1ac845d
SHA256508f1e0d5c7328bc999c42afef1c9a237cd9044a987258c10ed290534983c110
SHA5127f2000f56582420a38c8866eac9d6d2c9f85c45954ee49e9a5a368f92c871e704042de1c97c6db1021cb771688eb41802f059b8ccbe47e19d0f50c509c6084fe
-
Filesize
135KB
MD5b14a6e9dd469418bc02fc2f8a0415272
SHA150530feedf9f1b9cd88bc9534060eec9b6648ef3
SHA256fde60442acfaa3299a6ad5dda2028124f546b775732684617a8cb11b7370f51c
SHA512d5add179eec5c08dad775a68ae16f2e7350d752b2a041b7100965e1ba9e3ea4a9aad47953abbc866d3ccc082eac3828b10922400648f5cf6881142f06e8ca29d
-
Filesize
115KB
MD5af4d04a39dce1b8cde1626b39c346c09
SHA18748671d6b6a16514a9d627674aa4365effdefb0
SHA256da77c199b63885b8d12229cdcf6789b2eafa6e041734dda29b30f901ba73c46e
SHA5124243915275c101bfdc1bed30ab4717644f05e984887400f4d82c6b03554f396cd782890472cdbcb5bd39e8774c1d603a87b96d13a982bc6d9db83061da570514
-
Filesize
117KB
MD5f7937680626b9a5e317e9e65709f3719
SHA1198ce3bfc17665b24595fc65b34c635be0c1f36d
SHA256b35a6caf11822bd0c9a954b007e3860948f41b38009f452628aa40e2e435a24d
SHA51254e817d60c6e1e9fd6fc207a4ec5703ba77e802567142d65ce1cc92059fea3d81ed67a1bfbff79b7c9be1f10a6ac8a4ac33687d5c4f6458254663031de007eaf
-
Filesize
153KB
MD514ebc711da867b87a9d0f297d689b330
SHA189c357669eeeda85e2b37de234c8eeda069d4c6a
SHA256cd68b1b95add161d417a10cdff269d292092d92b64509e517142861df67bd04b
SHA5122252237401cbd81900c5fba7f1c13de455d6517ca337114c1ce4d21713fe290699e96ea7193248d4f1b5d2870223486fa4b033a79ea7935501477b45263c1107
-
Filesize
141KB
MD5be8a455a9d24845a1d6cacd178bb5402
SHA16bc51bcff5f9f96c7cdd464efded33f0f2c112b9
SHA256998bc02c9a31982d50e762ec2593ff9897d6d5bb0a847665e903608271d34704
SHA5124617c4a9afa6ed1e7d13a46709fded57b57876e1a34dadc01e75ab06d2889ab3a16b8fb6d30ba5cf4e8aea43dd70048301a5a404ae0339ce3fb2758c2601a09f
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
113KB
MD52e0a8ce9d6dd59bffca0abd3b00f4bf6
SHA1b946786bfb31cdde8c1f60d9505c386170d5ebc6
SHA256a333b65a5be28b7757fa57a964a551c8c925a9ad494430678fa3e7f61281137c
SHA512aa65ed919dc961880b9972e71bf63a42bc15a56f926a0447c4c7f1401cae35729d24606ba818c6643df22ae167c49a8506cfcba091defc6ab0a5ff85314170a3
-
Filesize
140KB
MD524eda926e7072ff2e9c989945403e2af
SHA13fc3c66e127357e264be015c56f955d879dbecf8
SHA256959195df5389933d533bba525de59b60ff48e3e1ca6b94f38392564a391db63f
SHA5127e1aae226749f3510fe3d8b97e5a47396fb4784268a5f625a359e11d8ed527e3dd24de42d7ff5d744d8de3ef6faee2cd966f2f3b945833ff80f1ca6efa198fc3
-
Filesize
315B
MD514b82aec966e8e370a28053db081f4e9
SHA1a0f30ebbdb4c69947d3bd41fa63ec4929dddd649
SHA256202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf
SHA512ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7
-
Filesize
1KB
MD53482ab4494f2d9844af5c8d5dadd1908
SHA14fea19f5beeb74d22babbfb970954ea32ef9735c
SHA2567d7feca72092e807f6f3e3dbcb08759a3f509277b43b4929f491a8c0e568b5f6
SHA512ac3c3503aff86ccbeefe8939ae02d48db19d8c78b3bbf031996c29b5605bb1e128cc434bead88a6affeb6063477acfc91093a18a8a63096c7f03de5ea5c61afe
-
Filesize
96KB
MD50535a21692df9b5d0bf89cd8ceecf25e
SHA11eb61b0206be075f9f7b02a7ae279282f2c0b5bb
SHA2561c1346cad74e0e4688dd1a9fbfd85f8de3ea6c82c0a8d5b1905ed510a78be8e2
SHA512c2805531efb54394feb049108d3abf97279a2052f993e9b76db44527b2ff602e176cee458d12e42c59512338d2ee40099ed90f434676bf7a840bfbacf468e979
-
Filesize
109KB
MD5ffd4ae2c4530e2d6a6aa77226ee5bf69
SHA18443a909c727f08f49d8fee3e8b79f3ae7a3c680
SHA25612f9287dd4193c4b6fe257b5f0e680cbb6139c9fdeb256b555404068157948a2
SHA512285dbf72a0a50b8ca5c4528ffd1b01f1d70c658eb0915fe17a64003b61d45ea5cf6eec581c604b92b39487a16558ae020da971a0570d86dc57999faf6198997b
-
Filesize
162KB
MD5af74568671f8ebd0e8342790d2a8297d
SHA1b582262bccd9712ca865b5602011d9eca50d09e0
SHA256cb3a03bdca2b8f93f861095053ff88fe79a71f1782a7e40241e6440c3881307d
SHA5124de09d06d9d92db380dc8d18de0ff12ad44d24b0a0b8b715de39967e9ce23d9d7b304e90c807ebd99268a5045a65a15d4fdcea50e779a93e136669e659cdb19b
-
Filesize
109KB
MD5cfc1c1893db49cb5121ed7075fb529f0
SHA1de677b1a254973fdbc6a25f148a59f67d681899c
SHA25609b090a23bab2c0a467367c80b48ade5b5db2fce25248c6a61b363c1d9ad1fd8
SHA512369a71200cade976efa064961b9412082d7c6cd27c5fbc4a1cfc97ad5e1690189f29bc6b3452e218a276e152452ea2ff75e281fb42c0cfeee98c62343294d97b
-
Filesize
29KB
MD57a282396c7c2f40b3ded4a2eb5108a67
SHA12dee9512d50149b21a67b652a8c165d02becc427
SHA256ee32cc55e633cf5ffdfada746c2c30e73bec35aeffec769464f0df855974f858
SHA5124ae71f2d1778ac4a0cecd663df7cf697d3b6ab39231526d6db227010eb8937131be14d70aa53f771c782b8c3d3d93faaad3d00d0b5bbaa0957f80f3c910db364
-
Filesize
320B
MD5f5ca128b17e8d404992d2bee011c0600
SHA1438796766b9eb26de1b0594ae2448d1a90aebb7c
SHA2565558ac944113a3582d6bbd02633feca4bcb546b54b0b81b4b10cc29e14949aee
SHA512b4510f1411dbd94424a83bf8bedbed40a48da2fd938ac43576156cf547fd8aad9433dd5a5c664be48cdc2aed4fcc02f6c9986b242b331b961c9428270a51198e
-
Filesize
320B
MD567066f9d5dcdbfba570b36d7376edaa4
SHA1c359c3eb4e42a54e74dccc6673a29f0a362e6803
SHA25670aab7e2a7a774c6e72d13977328e819614850833d765bee6d2bd2816c94dd14
SHA5124351a4c168d925a5fb5a4153cdc58174b8a1c4be38a6f7cfd0997ae072f7a380c72391fe7f7a07608b7f089a73795d52a9fcfa3aa700ea86c377d65be85ccc8a
-
Filesize
320B
MD5f0d7461e2ba7b72c51d1f4e19b49bff4
SHA1ed92b2e53efd23637751927a13a8b9b8ab2bd2fe
SHA256d454a4927335d7fa83063af5e927efdc80ca4b908cb5a3310a0b992efcb9cc3e
SHA51280eeabb49452b77f1b1062fe4757e68e70bd54e526197d34e701e76c880b070eb29570e800ebb3ead17c238d0d799ba409e3e57c1ee8f550b62ebf8090984820
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2