Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 19:52
Behavioral task
behavioral1
Sample
1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe
-
Size
29KB
-
MD5
1411ec0e42c9e4d38a31a7f4aae94490
-
SHA1
f7a2fd59988d89389f198f50bd52f0da7f81f014
-
SHA256
04079f8509ceb8ec7a73d6234c1a52b732897b977c3e269e6be701017caab202
-
SHA512
3ff56ee215e5cd8b333a8951324e47fe0f6463aca3e140362b67c298eb64d78b41037730d497488472ff224a305970f50ad7d531463cb3045860ff36a848fa27
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Z:AEwVs+0jNDY1qi/qB
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 1232 services.exe -
Processes:
resource yara_rule behavioral2/memory/1076-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/1232-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1076-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1232-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1232-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1232-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1076-30-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1076-35-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-36-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp2F89.tmp upx behavioral2/memory/1076-134-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-135-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1076-138-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-139-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1232-144-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1076-145-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-146-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1076-170-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-171-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1076-174-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-175-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1076-234-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-235-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1076-409-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1232-410-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\java.exe 1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe File created C:\Windows\java.exe 1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe File created C:\Windows\services.exe 1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exedescription pid process target process PID 1076 wrote to memory of 1232 1076 1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe services.exe PID 1076 wrote to memory of 1232 1076 1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe services.exe PID 1076 wrote to memory of 1232 1076 1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5e6fff0d7f80d6e0e0fe4a3cd9762f2dc
SHA16ccd893fd8a1bac5bf752eb179c90338d428a356
SHA25629683df577541b703a94e15104ccd5d4f29509c2337de952fef80ce01e57ca1e
SHA512b2ff05227a8e2af0f320d91c10841022c32ec28b7c7aaf5ffdc38c365291302029a0c5d0e1dc2c28dd6632fd39fe4190fa553e33fbee1f79265e5d4f1033d71b
-
Filesize
102KB
MD5c918efd2fdb5b3a122fc06d0a6a43388
SHA191300b9c7e4abd2b4cb93f681224e91fc4bcea18
SHA25665ca9ca9557b3f0475f3dc373e460424934063eae678b269e3a069fac4e9c865
SHA5120a1ff3134d8e8308ebbc580e8a4cecd3ed1ccfc24e757c077405a5e23dc843a5b2564147fef9d3a93b5f07043a68a4bb8ab450dea6babcc91cffd16c0207f22b
-
Filesize
134KB
MD5143de66668410b1376bdfc084092ead9
SHA162faa0221cadb77018262a357521a794a0ac6a8f
SHA2569606357f01948f3bd05af0d22291dcfbc51df19fab90182bcf8584b211d66579
SHA512c59e9b6adc50a7cb25b88dbcfcae470392bd8d3da1f547ab90926a9e1972a02f71243589b1a1836156eb50175cb0f31a25f19d847c64cf61b49a07f57dea55c7
-
Filesize
117KB
MD511cf547beb185aac741c42309d35e04c
SHA1c1f84bf6681653567d75841d4dbf25b3fb370cd7
SHA2565fe2a9a0738eeee9924f2426e5959f75835e968761826daa6bb67fcf14a15382
SHA5126c9b05460f53a5013bf853286534841cf7bc55402fcf5c81d4ef886266b07b9ecdc2ab8b76e3ed35fd0bbc5814dda241df9fc23bc0d1e4c7ab734bca3a8d3e59
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
111KB
MD530afd3a21202f747d06ea77fb0ecc000
SHA192e2dc54e0ca82f05a6c7db4afbd5017b55456e1
SHA256c5b5896c9b386b39cf4b509e8af23c5730fa3ffaf93cc4184ac4315f2ad480c7
SHA512b311407182863ac40d83cc0eaae67180f2a2d06a095bed3d6dd0a44745001579b7aaa7539668082a069145501435878841659876804d621bf66a324cc80c2716
-
Filesize
151KB
MD56665bca008b000e01bae6bafa190fbd1
SHA1432fe7841d298db53cb058e9dcb5b45079caf4c0
SHA256f14c083b7b5dc2c6fcfeb6fc0122ebcb441359aa4f7014995845f36169c21a49
SHA512334f7c91bcde59d4c3abf272a55b2aa0d196e0f3d9512d3fd147e0e18ff1e6f1ec0fa7a5bf2b81083f2d3f629211685dbc512d6f05f97db0dfe454c98a9089ba
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
143KB
MD5b202f2dd11cd3c2ac0ed84ca0e8d9fba
SHA12bd7745bc481c2cf1bf3cd3a137d15f1a8ab44f9
SHA256c05cf2b0d7d3cea0f31871e9de3221b4e2d61f371b4a2d8a985e1ca37e681673
SHA51232db43359b8bc2f859eddae936ff011de9c8407c21e566532b4f25894d00413e500e5f3cc7e0b533c9dcc70c11f274f594105369ce060c4b705c8b866f59bad8
-
Filesize
309B
MD5d7c7d9a22116debe181b010d460c4449
SHA10ffe4c171565d8d152bba5444abcfe4c3bda1a0f
SHA256bdb7ac94dc916af2d7784a5c147167ce13e49d12baa9b8f3cccaf33e29419a7c
SHA5120fce80c4e1d764c4ecd93f763b43459f76909893992069225559aa43d92991e436263e43a14ecd080d0452ef0aec3c1742807f88b3d7badb6a5f78ec13a9efc8
-
Filesize
132KB
MD5cf5c1630a4fc78f81330ccc82995ca9a
SHA1a6956d85628bef532335dad530f5f9504986f59a
SHA25647c6dbe6521764f77bbfd99673ee5833ce627a3bb73adc2cd8bedfcf03cef87f
SHA51289057d935c8fab4289a8f904cb8a57e0eb20fc04cc91b2b475ed19be75dea97e573da6b7d058f7d3944725abfb3e68a00307b27eb760d8f539a44f5770d2ec58
-
Filesize
143KB
MD52c2b7755d5278708fae4363ec71b422f
SHA1b02f002d559c3752de891d2b2637778959b2ee33
SHA256fc65f6bc56fb9ef616dcf04bf0d13d865b92404388a51f63f439f3976cc16274
SHA51207a3a0793b4b6e2d2c596324609a8ce9483b5e47328fb931a794b23cad925d15f5165b45aef58a2bb683c7abaf614793d0937d9bd325c52894a3e2a1aee6eb87
-
Filesize
29KB
MD57bb1810495621e7022f6e9982a037005
SHA1d69b829fd10ac8319c193b824fcd2c7609f0cf05
SHA2564f227d89e59738f26ef689944545a774143ec6039edfdb47c9b557ffe3db5940
SHA51284bc9eca5fac99f5fc536885cbaf84d84f7befec8e4890ddeabd7ba93c4f5bb6ab52d6ea57edc3695cfe618038a4013c1ae53ed0726646a82eef75ddd0c4c3c9
-
Filesize
352B
MD5367940318828c765a57cd92276c0aa51
SHA1de0da0d932b7acd072b59ddf365d4a98e7e1036a
SHA256c8c85b1a7dde1be6fa69a2e56f1e6ae8d4d7779b24c2cbe9b51e5e6f82ec181a
SHA5120f76f969922da5b552653fc742f45bd0dbf55b5ef7625da9f8ef77cc191af7d489ed663ef4f2752d2eed2547cdfdb2c6c28e41cbe812615fa0704ea3fe5889c7
-
Filesize
352B
MD589f66fbe3a6789774685c357c974ae2f
SHA12f21f78fec7d4779f46cc78121d4282817096b13
SHA2563e59736f201e16aa917d1a4d2457d3669de83805504a964173e4268ab1a1ea65
SHA512982555c4ef29f99a73082207bfb4ca2ecce97e522979e09c24e9389202e7424a896616b00655f2412244992a8b2bf1c126818ac3b51816c78b196435bfb5247d
-
Filesize
352B
MD57d37aa77285011cde7d50d7c582ac45f
SHA1caab15ee78828a92bc2e87af9b6b595536dc7a02
SHA25629b0ad619a8bd5f1628ed230bc11598b6eabadf72d44dae9d966c1dbe1869fb0
SHA512eb1ba2581ea898249c9c7234494fc69e87d708b8d777b68338d43d868b42be183a244eed0694fd95798dd9a323149e93dd59878eaf4fb9ffa7c1e047dfe3224a
-
Filesize
352B
MD56d290953927f1b3a12f3dfb6e56fe1a2
SHA1fa1bca9b8f90e6c3990e679303a374428d089693
SHA256f6e02acb3d26690af7f8be0fde7f677c9f22ec63b04a3c9a3f317bcb9becaec4
SHA512041d03b52fff107bfba4588676e3d041de30a473f91ffc7abcd4864b3e088dc9a3a7c4edc615d8344668d6e57240626837f91238b4083986967c9f526ffa0adb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2