9d66d64b71af859c9baa636b2dee2a06b334ff09674c7b128ef9f988500deb46

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe
Size

42KB
MD5

ca85caebb15a4a2c1bc83d37b55c3120
SHA1

c13a7a718848af0e545ce5574cd224ea42f5c732
SHA256

9d66d64b71af859c9baa636b2dee2a06b334ff09674c7b128ef9f988500deb46
SHA512

6c363cd1a0c74af5dcc20389e3de0563e7cdfb0bf87dbe9956552ccb11a2dcc1c719d3f1cd5923f64a0888d0a0c1f6d97286cf69adb77c74b6822e1033c9251a
SSDEEP

768:tdAkXGqv1GypfcHrk1DqAHNS/BHPmeWcTeYdC9VOV0rxAdeVj:tdAkXGqECcwYgw9PNSa0Gi

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1152 services.exe

pid	process
1152	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\services.exe	upx
behavioral2/memory/1152-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-94-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-246-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-265-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-266-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1152-270-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\services.exe	ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe
File created	C:\Windows\java.exe	ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe

description	pid	process	target process
PID 4420 wrote to memory of 1152	4420	ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe	services.exe
PID 4420 wrote to memory of 1152	4420	ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe	services.exe
PID 4420 wrote to memory of 1152	4420	ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0RV7W6KN\search[1].htm
Filesize
118KB

MD5
d48c2a95f2bb58162726b10626ca77c7

SHA1
d19402ca18181798356da56e78e6510ddbd4ced8

SHA256
ea40f5e2825dd606ba176d198668dacc98d284e00c830760b6f82821cbb7e3c1

SHA512
2ff41c20a1092255d5850e331d138984e7c0c3ad03f19f0a8ec0829d97cd4240e1faa0ee4559b529356df5cb8fc44683f0deefdda63974403d2b2e8cc209d18e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0RV7W6KN\search[4].htm
Filesize
114KB

MD5
7673c6133f0cff10b56e8cb5cf0a96b3

SHA1
6592cbec13787918eb2163367e58c867237e1367

SHA256
ae2bd876b8c14e2c0ae1366b567ad222635fdd8984749a45ca4e9ab070539ed6

SHA512
0d9a63a2222ff747ed1c92dfbffbe51cb5fcfd2fd4dc3ed8ae0fd702301d1b61b864c6bb34158461a91500dfafed4393c1e913c721c0264b52456f76890621da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\5HEZTM3S.htm
Filesize
175KB

MD5
46aacf50d4fed29eefb50b0c4ddd8d09

SHA1
076b3cf1f86cff1d59656275729af392a88ba9c1

SHA256
7b98cec5472188544b78762c772b26efd03f0f6a4ac5934cf5cbb048d8419bd7

SHA512
6cbd3b1ff34c2ef1b216060d9e333dc5bd675edeb0d3e24c6056d33e1bbb26720541a6f47298d1944241163255355a78eeb54af1bac804a65f1fd33be5fbc6a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\default[1].htm
Filesize
303B

MD5
bcff225d207b6681a01ce639f790b613

SHA1
529dbb5ff6798cabb783b8c10c3e689e2021c521

SHA256
42c0f0033e6d1faa7c7d0a3e9caa3164267aec10d9d6066c1bf52b94c3691303

SHA512
c0bdb69112b649b4160a80cdd56c6105ad0d834ef2278bb53eddc7157ec0f811e36621f76c247bba6b25c9e855b0a51035025378a18b9c9fd1c672ddde7d688d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\results[1].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\search[1].htm
Filesize
141KB

MD5
158f9bca1e64056afc21a8d4f80e34e7

SHA1
ace60a4361021d2383d14eb0b5d1bab5b74c3cb2

SHA256
cc30d2e56284e97c793ad13f8522b9b4e6caca890e8213502c3c110e38c5a642

SHA512
3eb64f0fcfa24e2d5cd55cd8eabc8c222d88126c2907032d99c55636744f6b74b91c2a57d15ee156a095aa168651bcae413df5fb058bad0673a8b6c4d048c7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD22.tmp
Filesize
42KB

MD5
8a6825c3c49ebdb1438a190e7f53e86c

SHA1
4c03582009477ffd0e1008d035e87804196a8423

SHA256
3301a4144c89c3f64022fc6678dc6085223f3bd9b98dec0fd5ddfcfccd5f141c

SHA512
c1ebe000edd2e9ce4e35a823a5b6d219e06c13aff7a3615c880c8018d44436c72b2ca7420831d2d24d1513e45b76926db3ccb1faa1634f710e5a7d481915cf0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
96B

MD5
e18f8008575f8451380ed8ce5950225c

SHA1
37937469fa2ba489afbc59a07ec1f4c149c25608

SHA256
87977823063ae36b9225e8c9a41dfad4d435a91effdf8f5fef5a39f4d96c073f

SHA512
cb2049b9a4fde0e053f0d163878bc7db890040b3deb989e5f5b49ba29914b8b72c567f070540421c2b0883a35d46d41478bbc86b4bc8236f0ed100c6e17a4ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
96B

MD5
e888885f55e26a5a551f85bf3f648921

SHA1
e8ce82ecdb69c0158098887f3e054678401cc929

SHA256
750e317aaab2b775b367addcdae1ab4be0e0a6edd5aa7a95e651ba69d8b86f49

SHA512
16306ee1b822a9ac519a532f9fe005046f02a176d96e3bc6a2b1ecbc2c48cc1f4a0af1e2d1c8a129407d63d8d180e2e128767cfdfe81182a8a4c59296577d782

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
96B

MD5
6a64761dc27b20e5d9137c558163e022

SHA1
70e6c36b68cc9335a345a7cb153b3c53b9accc24

SHA256
d86ee457390db7ebec5a9fd15563d6f0adde45d9b292911419920ff0a61e5d05

SHA512
6cd5c474ce81314a931ca3f4ede2e73764fffab9df1cf5f29a5653b57bfd28cd4dd764493c8e42b462673f9bc5bbb3308d54629eef02f7384d61e3852321309e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1152-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-94-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-265-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-266-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-270-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-0-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download