c0fe535434d35fe6f46103a6a2e76686badfcb74f15b58d27c65689939859a91

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe
Size

41KB
MD5

a3141a8eccd1beeb1a5d9ad0f1aef340
SHA1

68746aef690341b073f1eec78666d998b2f0933b
SHA256

c0fe535434d35fe6f46103a6a2e76686badfcb74f15b58d27c65689939859a91
SHA512

b804be1511c1acda6148a4e51e60df9949f9cd7b3642ab939ab627619f226288745c3803dbea64f38127981defb4f61d8dbdbcad30fce932fd84defceb16f037
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/I:AEwVs+0jNDY1qi/qg

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

3620 services.exe

pid	process
3620	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4000-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/3620-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3620-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3620-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3620-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3620-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3620-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3620-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3620-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-42-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3620-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp34D5.tmp	upx
behavioral2/memory/4000-114-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3620-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-383-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3620-384-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-387-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3620-388-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3620-390-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-394-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3620-417-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4000-561-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3620-621-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\java.exe	a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe
File created	C:\Windows\java.exe	a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe
File created	C:\Windows\services.exe	a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe

description	pid	process	target process
PID 4000 wrote to memory of 3620	4000	a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe	services.exe
PID 4000 wrote to memory of 3620	4000	a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe	services.exe
PID 4000 wrote to memory of 3620	4000	a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\results[2].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\results[6].htm
Filesize
1KB

MD5
35a826c9d92a048812533924ecc2d036

SHA1
cc2d0c7849ea5f36532958d31a823e95de787d93

SHA256
0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea

SHA512
fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[5].htm
Filesize
129KB

MD5
70a51207961670e9d75d7302ceeecca4

SHA1
2b593fa6a02ab44c7c7d2a46e8aac6af05a20dca

SHA256
8a007183eb3c2092b60798f84baf5c29faf6f3eeff149d5534a2339a0b99c315

SHA512
48957dc666b35554c114a5635ecb126296a1eb5ed62d15d7f8985b605522c6c62aef06a0363c443a8b17533acb29e058fd3b785e9bedb10b98939d3ca89cee28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[6].htm
Filesize
124KB

MD5
0fb151bfe0194ed0da204592b70a50de

SHA1
e7599464afa27da7174f59fcb78eee9c7507f84b

SHA256
ea35b8e78dc8c8c0f3b18c4c2ae996aa9475450180b2cc082b88c7728e71aab6

SHA512
1458ab6cb9e2bd227f6f15227853e20dc74f736e203d74c9b5edba98050a46f26336cca82e6eb223699509607a337cb07554c979ff400d15dcd28e5eb17c5cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[8].htm
Filesize
149KB

MD5
aefb176179ab3a0aecf68a206828c894

SHA1
d8cb0774fcd7d802b7085c24fde63dfb45d89ab8

SHA256
3e6b821ec9ec95d76fcc0411092ed6a5a8ff0df6f3f40fc7fdd3facca657c5b2

SHA512
9ff060ef076a6ecbf91b54b3e51505f529845d8f66d4a2548dcf19b8a98ed96bdafdbdc16ee13123768b88574b8871e086ebddcedaa7713e9737086c4aeef7e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\L99MV9CI.htm
Filesize
185KB

MD5
17ee38f0109e97507986885cbe1cd9e4

SHA1
6d5ba7fa061d6d734410ef7ce7d0e1921273bbdc

SHA256
1982388b61780fa883e70086d42db0cd49d5c9f9236923c6c3742a3b7b4314e0

SHA512
f507aebec79d908462cc16ee5bc7502a895c767d001908a567c142590dc0a49aca32c3ff704b7daba0f2b3bf2d5de7addeaf638dbfed64a5e939bebc3f77860f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\default[2].htm
Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\searchBFFK6GOZ.htm
Filesize
160KB

MD5
5f0b75928ce59d3d44258fc602ea9cb2

SHA1
f8498850880f1adf62e87c383c7970a3acb6ff98

SHA256
56dd72b5591aa650720516deb80eda393a12f5abe2dc9b9b11c8ef440d8e368d

SHA512
0386b6334f0fbdeec380d2d0205999d572c57dd3d575d890e4cb757f8900b1b1d00398a190add00b5bf7b960f464824368e9c9ef8ee1d4568eefbe1ad7d6fc96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[1].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[9].htm
Filesize
118KB

MD5
a0c13a04e416794bec70dad7dbcea5a7

SHA1
dafdb9da22d2399a615f36defcb49fc3fc7a842c

SHA256
46027d28154f9fb520ed1a2ae8dc06648d022bceb5d5345981ee12da830fd239

SHA512
47d9eff9bd585284e07b2dd4d05caea98f1399c9a76d328ad837e75043db18a7252386ee95a8b5d37895a57f9bb710a6dac763a5161ddda4ef3a095cc345353d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\default[2].htm
Filesize
305B

MD5
157431349a057954f4227efc1383ecad

SHA1
69ccc939e6b36aa1fabb96ad999540a5ab118c48

SHA256
8553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac

SHA512
6405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\default[5].htm
Filesize
312B

MD5
5431b34b55fc2e8dfe8e2e977e26e6b5

SHA1
87cf8feeb854e523871271b6f5634576de3e7c40

SHA256
3d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432

SHA512
6f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\searchPFBJLOQI.htm
Filesize
129KB

MD5
e11bcbf0a25e5643f856346d733fcfa6

SHA1
e1a303f27205e3232c2dc552e88c8e2b40d23295

SHA256
200cdcb32dd6f38d31a70c4f4085399e4752ac774c9c6d04d5a27f9609b3bd8e

SHA512
251acabf2017706b15da921fcfe0fa0b48eb5a50ce9081665b833506f1c584ceaf0869f1c4ed2cd10026ff76fc0b07afb8bebec98e59d71b99bd93f0fdb5f6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[7].htm
Filesize
137KB

MD5
b9adf34b800efcee3aa3396161d4e654

SHA1
541717c5414604f919cc87b73eded55905a4acde

SHA256
1d97d74a7198a0048949484b0470bf888c5024c765742b9282fb39ea94da301a

SHA512
afde1739603daeb07818cd011ad416caa38b3f344fab52f371f203850d8145fd29279cd813e5114b1bf6308ed069296c2f8e58aee2805ac7d2fa911a4af1bc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp34D5.tmp
Filesize
41KB

MD5
578c5bc212e2ded7038ddb0956908569

SHA1
b800de84d33ee53b47f7853274e81f47871e98ff

SHA256
a86762b18d1ead480643737d21b03742dd70c4c9b0a10a58c24a2272adc9526e

SHA512
089bc74caa1f6bb2499da10c5677e5aafc0077634815117c0a878e28eb89e0b4eee1342011a40e7cbcd63d22a5d1bf311645363bf0f35ac41f0a82f624d33c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
c3bb11aeb77d44d21b43a363d726946f

SHA1
6c3201df3f7a21181f76e49421e253a0ef48a916

SHA256
f1c32d701ebb8eabc962f213b38aaf22fa39e06ed59af65f90fc74dd4017cf52

SHA512
7b536459ddabc73b2710c7ee7e9f2bc01f6752f2804c49d75856f4a35b83fbe6c07640d018aacc40c714efcf475eb912b2be8426f322dc629b3c0e7a12215099

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
d9b172f3b0fc11bab0424ace11ebf020

SHA1
6b65c391cdeaff9b9f192ee2cb3ad47ffd97ff9a

SHA256
aa0b032869c65e89b7439b186917ef7ade3b3b7fc152663091a119c5992db8c0

SHA512
2d7440da9c88b8c00f6f6ce6184e25dc4586f61f977c0e35cd717dc2dc90cb875b61c0b4a54ec15f721edb7907612351d771cbe66cebe0b7ed7f84c0821169c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
5fdb3f6405fa0ca691e5216ab2908c51

SHA1
6d5a8c0ab160ccaf3b5486e450a9c255bc66c42d

SHA256
079b74d3053880164f9aa7c4469609d3e3f697b43fefdb8b8cf3184a16a420bf

SHA512
d14d7098c2c0109b1ec85267c650688debbf55f6718e25769c92f46a3793b85bef7150e30369d9bf951d37c00c1d5791f707d7af89d327d83098eeaa4b6899e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
db356ce6f586db9014c66b53f45b5859

SHA1
94e2a2ddf00fe37329425deed74c81951e3f1888

SHA256
ff883a9aa2c8bf166f80e5b6b7fa989cc6629e1d286aa0281c2a12a9797e63fe

SHA512
73c1554b2c8135329abef4f5960fb5e112e52e7ecb02918bcf89614fd435f9357752d2ce901d00f92d7c5d3ce2027467b73cba211bdaea59eb2cdcf5db6b88f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3620-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-390-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-621-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-384-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-388-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-417-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4000-394-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4000-387-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4000-383-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4000-561-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4000-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4000-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4000-42-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4000-114-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download