edc5607b5de7d720ca4cdbd33523aba50953f466d1b850a8d40dd8cf922ef5fc

General

Target

b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe
Size

41KB
MD5

b65adc99432eeced45230f730d600db0
SHA1

7ae5359f522ba89b6fd3143ee357154eb35fef93
SHA256

edc5607b5de7d720ca4cdbd33523aba50953f466d1b850a8d40dd8cf922ef5fc
SHA512

8c0a2326c9e77dfe140463d86e04543b825fb646047b822e4ac9361017f084e3795ce961983e25853782f63da07422ba77b30598a729bb34adf028c093915155
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/j:AEwVs+0jNDY1qi/qL

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1980 services.exe

pid	process
1980	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2428-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/1980-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2428-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1980-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1980-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1980-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1980-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1980-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2428-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1980-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpE30A.tmp	upx
behavioral2/memory/1980-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2428-168-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2428-172-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1980-173-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2428-174-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1980-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1980-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2428-201-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1980-202-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2428-205-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1980-206-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2428-213-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1980-214-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2428-217-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1980-218-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b65adc99432eeced45230f730d600db0_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\services.exe	b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe
File created	C:\Windows\java.exe	b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe

description	pid	process	target process
PID 2428 wrote to memory of 1980	2428	b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe	services.exe
PID 2428 wrote to memory of 1980	2428	b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe	services.exe
PID 2428 wrote to memory of 1980	2428	b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\XP5N96ZQ.htm
Filesize
185KB

MD5
b1800c03a220fba0d03e8922022027ce

SHA1
cc6a52d39762df8cf1011e8e198b523892d35d17

SHA256
a4ae3ed462a95097dfcda8172db0a04c94fb4e60d2dcda1b4b7be562bba9492b

SHA512
9ac0b561cc4058438c19722d531b765515fea353c50a8722f345fdd930339fc117501ea814afd31bb963ee6f69371e981a3ecc0f07602562c058092d2b5eca6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE30A.tmp
Filesize
41KB

MD5
408aeb114cfd1870f20d47865db24d04

SHA1
78d6471c87c4c907b10499706e93920eb30b4c2d

SHA256
7ec4e0d722defe9df97b1bb76e5c51fbaf7524b5a94cb92265df56b6519e0604

SHA512
4257f6e583c203adaa7da95545237f8d5556485e16287dab68e913a2c3973a507f7c76d5a56924a0900cbd8e49f9f8c388596ee5f0e43a2ca4e8162629f1659f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
278cecec9d036fb8c7f4b519da7edb54

SHA1
7e94f1d3cc16f565c452fbcd9ebd48489bd75855

SHA256
8d3bcdb7ca41e6b74440d78642f916d0871e675dd3c0a0499e2f76485450cbb1

SHA512
d4b1db08c2897fa4c1242c46202a7314ee94d65603405f9bcca90033f50fe2abd395b0fd0a75ff52de2fdc3d9916014a91f7fc2bc1ec1dad0aa74e5380d56deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
3429146926250c64c96eef4a96d394a1

SHA1
1a3ce32e76cc98278a907b352de3f2f4f075ce3b

SHA256
da800099bd1efc38657f636aa12903457025ff82825791eca9e4c8871ed5c3f9

SHA512
88ad9e30b84184faf23d99e812a3047abbd66e7a5e14fb4495501610db1191e572dee2de337edd2dc7a7b6303b201fe373e64f477190d820dcc8266ebb3aeccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
2fc7d35ab5a9c8850b93a7ddc40a53f8

SHA1
37d67e1ecf367b21b2604fb69f96040bfbfda09b

SHA256
a726b0399cd451617705749e6678d44a74bd072d2b65c0c693c773af668f6f86

SHA512
c61ae30dc02e05519b73debba90c9666e848163ca93d46c3ea92d78326c6cbde5dc98680daa3871d5cc309552498067d6fa858c50b1663b65c45ceb85b817a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1980-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-214-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-173-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2428-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2428-201-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2428-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2428-205-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2428-174-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2428-172-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2428-213-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2428-168-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2428-217-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2428-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads