a10d22f265291dcca5b3da0f9889f9a8d4972f7953e96fcd72a4b6b53e3db522

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe
Size

29KB
MD5

f8eb659ae3b31e44ff369f42b7266460
SHA1

c788e5681cd8590bf08f2c2d920528a59f46fff2
SHA256

a10d22f265291dcca5b3da0f9889f9a8d4972f7953e96fcd72a4b6b53e3db522
SHA512

0824c10c91151cd6436fb697edfce0b68bb915c7bd51a2e7be3dfbfed3f3fe705491da9f4fc45775121c3eac02eec64d1fe1046f169b890c63779af77974b95f
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Zy:AEwVs+0jNDY1qi/q0

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Executes dropped EXE 1 IoCs

pid	Process
3432	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3780-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023423-4.dat	upx
behavioral2/memory/3432-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3432-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3780-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3432-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3432-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3432-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3432-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3432-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3432-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3432-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3780-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3432-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000705-58.dat	upx
behavioral2/memory/3780-151-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3432-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3780-276-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3432-277-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3780-280-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3432-281-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3780-282-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3432-283-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3780-323-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3432-324-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe
File created	C:\Windows\java.exe	f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 3432	3780	f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe	82
PID 3780 wrote to memory of 3432	3780	f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe	82
PID 3780 wrote to memory of 3432	3780	f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\results[3].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\default[1].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\search9Z21RKM9.htm

Filesize
109KB

MD5
13e713cc8f76882175affc7c7bcce956

SHA1
7fe9bd304e4e0fddaff0483d8b971a022a332c78

SHA256
4072ed7bafb6ff3765dd20b8cb6d979d2e8ee70840a2e025f9c1bbad8a3f97c8

SHA512
82219d4d2c7b500eecb27ab2da335194d1f68bbdfa7c8684d598bb543bbc1e4902b1069804373e219a1f75b641a924448f83c73af11163236998c3ab611e68b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\search[8].htm

Filesize
142KB

MD5
c0af7b803b322a41ab397044f9d58c2e

SHA1
6eb172072cea2e5de5c9193966ff46f65c3d4fa0

SHA256
90778df46ec8c1609dde6017bf6717f13de88e6b81c8fd5ee3837bd0e5f0a61e

SHA512
e943d7b5b653ae3b29722164c4b55480ad4877ddaac07fc5db807f8c0c4a6015e22f7f73841294a5ed5b087b7359ae57cd3509c0db98d63a46775965594058ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\109UL1DP.htm

Filesize
176KB

MD5
33886fd75ed78a8d1a0e23831e0c3296

SHA1
3eafbe0ceefc14674c94ae5f2d83d64d6c1068d3

SHA256
f80e7abcb8cd35eede2fd1d1145043c5abfb5126ea117ce12f9bc8477e3987b8

SHA512
c48e03dc9d583cea18c18d140e89198bc563fc8b95b7b82b7d58c88cc3aea5c3da1a0dd65384e10dc9e76850ec131a6b400dc17bb6cea958c0a2ec8710d36e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\search6AA56SLL.htm

Filesize
112KB

MD5
114fe213e4b85727fc089ea9b27c2779

SHA1
accc01f3b0faca1ee3cf300505325118297f60b5

SHA256
84746e38b2bd7fe2ef0c8bd163fdea4ebf7632e1333283ee34a4a890dd07d0d1

SHA512
4e101b07cf053f8693570ca52e9f41ed20c7a99121b7c9068795f20f39af016ec284532f859ee53d6efd17133df4d874d1e4d717b64af430a770ca3e27320807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\search[2].htm

Filesize
133KB

MD5
232a39f41e3093d23d2ef3535f645289

SHA1
3f4f36fa68b350e4ac9f30d48e307c609ac424e3

SHA256
bedd98bdf490aad31fa384037c0984d67a4a4b815f7a435ef6ecd74818c5e1f7

SHA512
be6fa318f6f9c59a47ca1b0b0a3ee160919f54e54b8a97029eb56bb9863b88c22ab8602a409be58798212dbf4dc3edf38b42f60cae4fe22486ec6459236e1c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QEA1P7KF\searchH2649FKB.htm

Filesize
112KB

MD5
7a63798b81769066981f19387a92ec53

SHA1
4439c34e35fb4e4949634ef8d60a9d2418fba186

SHA256
2d853df8996314385d9291bfe5ad464bc9e808ec68669de23c9badbb30986fce

SHA512
d6fd06d02a2dfef0d3a004211fbf513c1e1b39b132ca2285b3ddc5b002e092d440926019185ed8fd54f0fa5d46aa9c8bda896a446f4930b91cccc0aeb2d4cd97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QEA1P7KF\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3DC.tmp

Filesize
29KB

MD5
4b966de069998489f5bde2fc5d05f4e8

SHA1
d7a3b4c342a60c9a388a56d769459a43b76b502b

SHA256
7149f634f5533bc00dc64a5f9de1c4dad362784149b7fc37cccb4a836f89206e

SHA512
8c487b5d75732fe7ce8aa112dcc03c32bd52fe2d33cf7e0d921e4260fe2481c013d50b9b13d1584553e0904a5e1030a253a345414dd8800628c4bd5cda611160

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
3800d536812e09af813894ee839274f5

SHA1
c44b2cb032bc43d3fa8ed4e5d38bb8f889d1c067

SHA256
f1e14015426d37e270464f6a1fcb428a7bb08443816ef8b628a19f7fe1ac67f6

SHA512
ed9980b630a5d9fac256ad55e8b3496d01dac291f0344c3240a71d3b4043ca55a044d402ec6bd3524037d7e112fbe472229d4fcf777404136f0ff2aba000126a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
c8a59edd93bbd8ecdf8a4e67d8afa2e1

SHA1
db734933c57ead80331bb9d2a760da99f78274c1

SHA256
d1d4de43376ca93fbfa8458c966440106471a7681b9459fe6c6f79b014cd1da2

SHA512
3d6fa72e112836f99f4550135612b01f20f4ccdfffce79eb746f0889a18a0f19847ab69c276121a994cbd72f57a9a499e46e3e9667223c9745cc7399d00599a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
f030e953d144b748bcc6502331d1e395

SHA1
e89572b2a041bac74d4250435c90b0884208512c

SHA256
b81f4618b7ccc3146fc1e288a17087a0b3ccc35e1158052cb49a1751298935c5

SHA512
db3300e8286ad465ad49c0c49dbe41172477a6e635c3c2cd526f2776554ede8f8afd9d72e9d9b29cd44975e320d9a7a3faf4fe5d99592ac109953a7e6064aef7

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3432-281-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-277-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-324-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3432-283-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3780-282-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3780-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3780-323-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3780-280-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3780-276-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3780-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3780-151-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3780-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads