Malware Analysis Report

2024-07-28 08:01

Sample ID 240611-289atavhqh
Target 0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe
SHA256 00fe03b8151e6bce31b0b50c7c57dc9c017eaefdc3a3bf748daa7d7ce41fed5a
Tags
microsoft persistence phishing product:outlook upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00fe03b8151e6bce31b0b50c7c57dc9c017eaefdc3a3bf748daa7d7ce41fed5a

Threat Level: Known bad

The file 0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

microsoft persistence phishing product:outlook upx

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 23:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 23:16

Reported

2024-06-11 23:18

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe C:\Windows\services.exe
PID 2032 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe C:\Windows\services.exe
PID 2032 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.213.60.59:1034 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
N/A 10.241.35.61:1034 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 10.128.8.216:1034 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
NL 142.250.27.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 cs.stanford.edu udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.10.14:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
N/A 172.16.1.4:1034 tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
N/A 172.20.0.15:1034 tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 groups.io udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 lb01.groups.io udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 45.79.81.153:25 lb01.groups.io tcp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 52.101.40.7:25 outlook-com.olc.protection.outlook.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 10.152.243.207:1034 tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.251.9.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
US 8.8.8.8:53 lb02.groups.io udp
US 173.255.221.194:25 lb02.groups.io tcp
US 8.8.8.8:53 smtp.gzip.org udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 outlook.com udp
US 52.101.194.19:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 52.96.229.242:25 outlook.com tcp
N/A 192.168.2.16:1034 tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
FI 142.250.150.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 mx.cs.stanford.edu udp
US 8.8.8.8:53 mail.cs.stanford.edu udp
US 8.8.8.8:53 smtp.burtleburtle.net udp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 65.254.250.102:25 smtp.burtleburtle.net tcp
US 8.8.8.8:53 groups.io udp
US 45.79.81.153:25 groups.io tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 8.8.8.8:53 coloradotech.edu udp
US 8.8.8.8:53 mx1.hc3950-10.iphmx.com udp
US 216.71.147.46:25 mx1.hc3950-10.iphmx.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 172.16.1.5:1034 tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 tcp
GB 142.250.187.196:80 tcp
US 209.202.254.10:80 tcp
US 209.202.254.10:443 tcp
US 209.202.254.10:443 tcp

Files

memory/2032-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/4320-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2032-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4320-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4320-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4320-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-30-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-31-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 b5b9e247b215e434a069841661ac6d11
SHA1 edda689bd6a21e93e8fddbeb9b27917d9cb6eea8
SHA256 f2c9a85dfaa973012737aa6748e7c1e956bf8f0a83199c8e8c58791bfca587aa
SHA512 a810f80eac2eaeba1f4e87880c2281f6d3451464481eab4995bab56afd621f3414b349d6fa5a3ddcffa066511b5d52deaa4035bafea450c67220a64d5f39b9d0

C:\Users\Admin\AppData\Local\Temp\tmp2141.tmp

MD5 4ec5f9da28953e4d3b694f5fc5345113
SHA1 6637adcc6f4a58dd4fca9315dc83d41548f803ee
SHA256 055e5413e1753700fddf0fa32bee076d8af988f28c5a603b95bd985591971057
SHA512 ec886693cc38da54077b3bcdacd4367ac8cd74d6648bc5ec240763e9244400ad392f0aedd7bfeaa2c5af9dbf35699847a6bd51dc941ceede319daa7b8b170ce3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9O7X9C7J\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/2032-120-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-121-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NDGDSC\MO5J0SRS.htm

MD5 b2bc1029ff71fceaf3e075d6c94ee0e8
SHA1 d6a7b65dacd0192cd42bc96df590a931363e32de
SHA256 340c56cb516ce92858e3e85e4aac545f8b5f039b6b5a6be992df922e78e33b97
SHA512 f95e1ecb57aa1b582c40b354d341a7e6be227747c957764877b7a1eb992c8acd1e23a21623b9d3f3294f02b4f6c330a4ab2ff53b1bb9f1105ffef35d13b430fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z5ILU938\results[4].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NDGDSC\search[6].htm

MD5 4b503de75baefabb90ea88b46c9d1eba
SHA1 a2fc9a904994e1ba6e78951834951c6fa565b994
SHA256 8cbdb7e7b3d023015fcca6edfec114896b98520cd24e319d8c8fac386d8c544c
SHA512 e70bc54346005a12b7bc87a72bc23980e47e3c9c7bcb690b76e05a2f8220be5d2754b32cfa13db9cdc29546aafb86aaed66e2dbe5ecf08868952c565b0ea6985

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e1a6b846284fcebee7b5ad44979afe8d
SHA1 fb2c898d97b399d4d8567946b4042a1a0f21ccfd
SHA256 009e2ccac63c0557dc16748398ef236037b23cf7092db5ae716c724b2475fdd5
SHA512 c8eb2074d7b7bdde3cf4418b7a61c3cc6f5bd4e4c666b4b28c0ab6a0009e374b32bc083acc93006833969bb31604f25cd86a81dff50513d6399e88fd7cb1c1ba

memory/2032-277-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-278-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z5ILU938\searchKPL4I6H8.htm

MD5 567e3623bcd273b77284d0c5683effe8
SHA1 6b3cf94648efe797d064b0185045927c065970eb
SHA256 1d370829e62f84b58f0bd3597ec95b3ea596cb6254ed004888927a32288815a3
SHA512 4c4b9a692c682dd9d3af9e79f33954effa5b14d772e3bd38440df126c674f22bdd4ca4b82573cfe23bd2c9ee6622548ba981915eeceb3e7a64974f682cf6119b

memory/2032-315-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-316-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-320-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-321-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 6d508eaae6bf59fe8f5f68c5c615953e
SHA1 03f7e3bcee3294fb07fd702cbbe108bfda4ef820
SHA256 9d11c5a8d6c31651ce05e82372644161d9ad7303210d64d9ecae037e3f0ae250
SHA512 7e15ad2ad49a8834c15a511cae2db69603f6b5b2793032bcabf4c93bf2f3fb06a6f764e4da7dc5ec95319f8d296b195efe96fd9d2ef265337a63f1a3f75ee576

memory/2032-328-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-329-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I3C6LG3F\search[9].htm

MD5 2a66da2ef1778e5808fad1431c08b83c
SHA1 a9e4fc7cff201909810945ff3b0b09090cceec53
SHA256 23eca6c82050c0d1f2045b8f905d18e032b944e0b0aa0eadbaca5a5abb72c623
SHA512 07006922b526ac1305dd068d8f8d28a808801f81fccba77d999a7dcd44c0eee3fd78d196e133197ace198aa52806072605f0f85fc56698f4c5fefa62933d5e76

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NDGDSC\search9GEN9TQL.htm

MD5 aca76e6abf4087f4ce1ddd191190a84d
SHA1 0232d21bd67395e9ae9af4931ef85b41886bc8da
SHA256 04d9e04d5fcf2edd1f653c4f6a7e541bcd57b4431bff21e2ff11110909617e0c
SHA512 3d6101307999d25c1ed86f032ca6f5998bf594d7f572245d2db0f485ed32e5d67da062c82f758b098ea1c4eff181ce6acf4cfa68dab97de99ab332fae62ae951

memory/2032-406-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-407-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-411-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-412-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 f99209faec038a3ec90739d97ac66145
SHA1 01d640980533dd174a5e9f884a857742bf4273e9
SHA256 1864728a3d261e6ca79b77b9827ad01681a1e16cb34a57eed384835448077032
SHA512 a6609105d1420483b55bb75b3aae97dcc9f7167386bf1a7943b169a588ed68fdd3b95ba420f3190ecd9b0e05c90ca774b258cda59cb8ffa135d9d74c0772b2d3

memory/2032-419-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4320-420-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4320-424-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 fc55d84523be328f48a64b445f61ef8b
SHA1 269308f0301eff946c757415559e46949ea04d2d
SHA256 8e5d1c2bd8effc0080b3f1b9140a5f33459f84b3e0261a7cd515018e32bd1caa
SHA512 93b89ce288f859ced611207c2a20141ea6d08327b731221035e98b574dc35ac6c182ffa8129691f3a79390d91a049ed281031cac9d15e6b2421fbb2329587d56

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NDGDSC\results[2].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 23:16

Reported

2024-06-11 23:18

Platform

win7-20240220-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe C:\Windows\services.exe
PID 2004 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe C:\Windows\services.exe
PID 2004 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe C:\Windows\services.exe
PID 2004 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0c236da76afc97fb2ab1d8531df7a7a0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.213.60.59:1034 tcp
N/A 10.241.35.61:1034 tcp
N/A 10.128.8.216:1034 tcp
N/A 172.16.1.4:1034 tcp
N/A 172.20.0.15:1034 tcp
N/A 10.152.243.207:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.10.12:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.16:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.5:1034 tcp

Files

memory/2004-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2240-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2004-10-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/2004-4-0x00000000001B0000-0x00000000001B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2004-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2240-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2004-24-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/2004-25-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/2240-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-49-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-56-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2004-60-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2240-61-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-66-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 b63154d8cb9a006683d476040df4b1d5
SHA1 398d9f01bc221152adb80c542da7f4e0150bf5d2
SHA256 8e095e02468173c7523dff67f5a3cb8966ce9f48c4feef7f3f68cf9f1b8d5204
SHA512 e9451890113597cc4fdf46c8413b0b8d1e133a264a7b9c34a86c908785169fbc3b5b32573101183df24f379f295165ac4a1b9fe79a4d1ac62353e8682152fbf8

C:\Users\Admin\AppData\Local\Temp\tmpF3F2.tmp

MD5 99347f1f302a5ff638d6ab2f2056b7e1
SHA1 d1cbbdb4fda725d69cd02e8e4ff224505a862b72
SHA256 e3277e797e97a00ee8354b15cb2d80c80340e1d983326b3c7ccf29f9e3701bbf
SHA512 687ea29551cc515ed7e7ac4d443664c8da8fe8bccdda1052704fc153a7e31d60b4dab6b3c3d60e70241069485387546e6fff5d7a8b99623e3eb7b08c10c83cfa

memory/2004-84-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2240-85-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2004-88-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2240-89-0x0000000000400000-0x0000000000408000-memory.dmp