Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 21:08
Behavioral task
behavioral1
Sample
1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe
-
Size
29KB
-
MD5
1ab97871b6f75b818e2183f709f07eb0
-
SHA1
e3bbdb2305b8325285f3d2e78597c2bb0ea0d8c8
-
SHA256
c9bf52af3fb4ba917736acf22b1e4b1db3acc94256251e186b2fb18c0513d8e8
-
SHA512
bc8e18dce6e21dfe55a70883a8292de0939173bb648d6e8de1c8fbee1a0c395022fd310cdc7a73e1cab0747a9f594a1e39ed078757df0c8ff84db4d6228f62f6
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/kr:AEwVs+0jNDY1qi/qsr
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 704 services.exe -
Processes:
resource yara_rule behavioral2/memory/4212-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/704-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4212-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/704-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/704-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/704-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/704-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/704-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/704-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4212-37-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/704-38-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp7FCC.tmp upx behavioral2/memory/4212-102-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/704-103-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4212-261-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/704-262-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4212-263-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/704-264-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/704-268-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4212-272-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/704-273-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4212-414-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/704-415-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4212-540-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/704-541-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exedescription ioc process File created C:\Windows\services.exe 1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe 1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe File created C:\Windows\java.exe 1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exedescription pid process target process PID 4212 wrote to memory of 704 4212 1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe services.exe PID 4212 wrote to memory of 704 4212 1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe services.exe PID 4212 wrote to memory of 704 4212 1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1ab97871b6f75b818e2183f709f07eb0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5768fcb693228e62109855dfdd84699d2
SHA16cedc96f263693b3914c36eaf0c20350be3a066a
SHA25664016bc6788a34ec682c20c01404b5636d9d9322bde98c53f0d16c530312c786
SHA512751f1565e3ad9b4921c4497d1b92c549217743102fb386f03526fe4e71cfc2be431ed57c5039174bafdd06ac800c7bd9f84130bf94f766cb89f8cccb3791ee61
-
Filesize
140KB
MD50c89478a3611ee80bf70e386206e4948
SHA157fc670bb9ad968256ab7d18df01ef9c3f9c625e
SHA25640bda0c6933ca4d579bf72a834fd09dd0984c41d4e71882a7190bc1da0ece8ae
SHA5126e2642cd2db52be500798b4d60242d9b1ebac4660d65da605a41504a21b7b4b10725ecbf6e3b2a7b2c622b5cfa8bec55946adb444dcfd543f0294d89abc8bdff
-
Filesize
131KB
MD58c62aa854d23a3c3a4a3f8e95bb01c64
SHA155955ee7793b5ce15f948a7f28591b89e0cb8524
SHA25604f9b2d2d4fb7bed4bc8c7b2dc4cebb3d165eea7b8f420276a825049c6d29311
SHA51221144be1ebfd9eda79294ba3c5af446a93751062baef564a3ac34fb98fc2944fa9eccb6bf714595871cc67ae974ab697ff8f65a43990c0ba6674d4ae18eda5ea
-
Filesize
114KB
MD524d88c5a2319893e7c675e12d3296dbc
SHA135a41004b8df272e268a9b3e92bc52ed0f380ee8
SHA2566e7d65403e92c94bf82ae637e4b975052e1c289d607c6bb0f1c38da6e6869241
SHA5127457752c67c55bcef6881583bc38dc75f7e6f352df4b525a635e1e91dae382e0e44a627ea25823d8af1d3f3d42580d8d919974791ef2f2d7d57dc4e2dd60c98d
-
Filesize
119KB
MD52091096471668fc3503ff67ef83c093e
SHA1f034d8090b4deb158c3339ddaba9352b140fccda
SHA2562b8d7fce7847ea09cdb9763c5a5493f1e1d13dd2d3cde9a437585063688a9928
SHA512466eb4db7be236722a121390c71f019249818e30f3d45309f17fc89c14333076ae7b567abeb65910e7226cdb9d1d24edfdd0a628c7c3bd8af712d40128cf3713
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
96KB
MD5157a2fd9bc84fe95366a380eab809ad2
SHA1002b187abe9d1b175c952fbe855f0478c3c55c0e
SHA256787be3998d31adb3a06a51363e986132373ac40474c09e6babed127e32a5d0bd
SHA5123891786a9750378b4e89f634c57a80f6c4e2dd0cfa1eb162c65b815ab8088d423d1a1d5743a96e134bbeae443f9dfd544294ab3e39d793334e3e74ce5aca489e
-
Filesize
132KB
MD5ba56d8921110e22394d1b985a52d13d5
SHA1742b8b95b797eca9925ec1fa0e3a1e6f6721a7b2
SHA256d7bf91b37a4f90f12db62cc2accfbd844ff7c31e491fbeac14c98b9cd14ba4d6
SHA512e8c5d28d3d89301a8ff6055442a495bf9c84b21203a61e4afc81dd5a3ae2ddf616b8a688df26ba9eb1ea270ee81197fc50ddde104c030e6f874f93f49ba7b176
-
Filesize
108KB
MD52282c013be77d90d5fa8a38beabc652c
SHA125b0a7047008795551353e6ff252ee18cf2835f6
SHA25634e3914bfda6fd94851fb8bb4a41304e517b5aceebee06dc3b3a728accb9d9aa
SHA5128e0a2cb503bce9c7397a10c90bea59a516f5d6368bae6bc7c19e2116005e269af56af2783064e27b62a05316e39d25abe04575664cec4fafee386a080803e58d
-
Filesize
102KB
MD5e41b589ffd20e2462f9fab5ce1ddcbad
SHA17205418f510bc06abefb812fbca628c5e8947bee
SHA2563ba445e84d5607ceef54fc0b6d2915bfa51179887be2e0eaa0bdc5bfdc64cee6
SHA51213748dbeb2bad6e899e3a30e0820e255fd337c97f5b47888dfc7be16d7553859c8541356dae961dd4e5729bac79463407f634a168d1edeb0790d3d43a0c5e158
-
Filesize
114KB
MD5a7690fbdb833b82f123edd11a4c8b2d0
SHA14afbff7260210198cdc98eb099a81a7608891150
SHA2565c9d5afdb286d3484a8546bb728de640f1027e236121a2921e300e914c811d05
SHA512c67cac07c571203cfe3ba24e04f4d26f6680d1027f90896f27d0a18fa6837856d775b4ffa0eb82fe48d6d8d5f9dc95481bf17b6cf46b40c8593602d2e9df574b
-
Filesize
141KB
MD5a8984900010ec47aa9fd70b4602943dd
SHA177b851b0dfa02b76a1dd94f4068530226be93d7c
SHA256e8cb6aa1aa105cec4f2e42a4cba9bf24f57adf75f23f163dfbc22735c6ccdd32
SHA512d787fdda5fca061dc4256bfae9de7dc9b1175cf3c3757d9b7946b04fc468509e53aa764123373310b6440ba2c5a9db75c1117186445028700237ca1318343778
-
Filesize
175KB
MD5fcf61c1358bd8ed3c4003724bc41e419
SHA11745703d1cbfd7beaa0e5c4ed6437372d2d2f594
SHA2564c7259e8c2b72c47da5bb84696594dde7c6a1a5b1719a5c88c4681d4092a30d4
SHA512f86cf8199b67c23e697421ba96ffa7ee932979258d0a2299558e2499fc67c2385b9492c0ad88bc4bc7e469c494cea6c3cdff82794c1ab770bcddfe54fd987ff2
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
112KB
MD5a8f8b3d8f89affeb393fa9fc15c267b9
SHA1e179c7f4480bd1736fa23b4e2573e4c2ab90c159
SHA256d361b0835a12f774af18aa6e1c9990e1e96cbc82c832ff1b4f0118651999c2b1
SHA512c855b73fe132c18ddf9601d2a3d3a09e1ec01e3d0314caa7e31d448f50a7576cd03e8adccb120bedf11df0173273dd7651363dd798efdbc41123973ed1efe5eb
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
133KB
MD5c26b9ba18c9571ebfc7154fb343b67c9
SHA178a5bd2da4acf97d0b852ef88d0f530e44dddde9
SHA2561b43a50d4d8090f2c5a50b725c1a7ee0c4d4a72dcac37b0cf2077404c3a65d4c
SHA51214153bf81d8b8fd6a29a1ac9c35218214707e23658db7092dfd9d8b5dc5d54a57a9ba8e9be8bf9afd2726c199820e7ce0994ead7249ef4219e1d65a0ec9ff929
-
Filesize
29KB
MD5f0c8358106bb250a28bd7b972409f0d1
SHA1784eb8a63dc996f08c5181c59e1caf9762868d70
SHA256e493a28656f5829bb4d984ba917eccca56f8d351c7b912cf33f2ca07facdad7e
SHA512ad1edfd83d2416442b1d8ad8a11ca5cc43d2978c1c5320b077bc1eb2f8663747c93c07973b4dd4fea89492f18815e3d007217e37257e2eb48d8a91015e360ed2
-
Filesize
352B
MD5040c39c1630879b6bc3f2044b3f483c2
SHA14d34a1a11c3b54e272872bb21e3324a833f9d3ad
SHA2562282675553d2c5ea652328f98e71b19c287c98a68a0738a53d955fc5f269e267
SHA51258379ca0a00b39a14f5ad9d59bbf269c38de2058c07cc38c113bf0fc8e3e92c5ce3f6cdca69eff94d7fe0332576980ee000fa9b810329a42bb0507aa1a57997e
-
Filesize
352B
MD58378e217d24d905078d6f0fdbf78a48b
SHA10f578d5b99ff8cdff91573ed4d9c2b937ed09bf6
SHA256207f315acaa0df47e455494d8f1a4a54e829f06b82e4fb20f64b0ccaa76111d7
SHA5125b33402ea52726f5df39f2383c97021a5d6b738851104aa99a529b683f6c32160692d84c647c4b6b36b2243417d48b750a230af885b83008766661ec6469863a
-
Filesize
352B
MD50f1728dbd50800956a7ffb390e94cea0
SHA1a3aefc51726b74110ae49dff3359ed67ab34f3f8
SHA256c182f2ef6fd18d5195d6930328a5e92f2fd5b9439d7f7a48831f718475aeca7e
SHA5126065251387fe75f279f48d245d2527149d65d97f7990fd62f2d5d2473cb4827d42bcfbb880b05079790dbdbbed3c871b94f35a73408a8d30289f6d5770d91b97
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2