f684ba04576aaf31057eae7befd89a7bdcca99162cb063a0e354c86fa2b36692

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe
Size

41KB
MD5

ad0993e3969383c6f9058b81913e3670
SHA1

13f05a308c3e29960537bfa31996af4f680d3851
SHA256

f684ba04576aaf31057eae7befd89a7bdcca99162cb063a0e354c86fa2b36692
SHA512

ecfc1ebb4c8bea5597bb922bda200db4c962a1b588295e3c125e3c873a792f1133beec36e81c45448a00fd33e20c0242e3754541a5e2bfdbf255c4be46065541
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2208 services.exe

pid	process
2208	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3168-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2208-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/3168-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2208-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2208-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2208-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2208-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2208-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2208-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2208-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3168-42-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2208-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpBC0A.tmp	upx
behavioral2/memory/3168-101-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2208-102-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3168-245-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2208-246-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3168-276-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2208-277-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2208-282-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3168-283-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2208-284-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3168-429-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2208-430-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\java.exe	ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe
File created	C:\Windows\services.exe	ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe

description	pid	process	target process
PID 3168 wrote to memory of 2208	3168	ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe	services.exe
PID 3168 wrote to memory of 2208	3168	ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe	services.exe
PID 3168 wrote to memory of 2208	3168	ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ad0993e3969383c6f9058b81913e3670_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\WRWE71EM.htm
Filesize
185KB

MD5
6f13ad6b7ee659eebc3bc964e6a722e3

SHA1
c83d5b1d580bd77fea5b84f5885565a8f35f9ab4

SHA256
00ff2f5436d6adfda529db5b825c8f696a04b543cb31d08c2df393c3ae8dfaa5

SHA512
8ed05b31414c8f1473675403b724a4f3ee137bfa6c5b247d3a0158779cfe046a11e6422a0fae736001abe63b890224ba2b499e29f4af62286001e12e2c3b4f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\searchFEVOYQ25.htm
Filesize
150KB

MD5
307a240a4a0bf15a329326a2b8e8ab5e

SHA1
095a5369b8c21a727284265ecc5ca1d860e99d0e

SHA256
8dd411af4dbf9f802db0092e60866916ff7e2ae00c2273901d57338a09550372

SHA512
747178c2a6a74d96111d225b0ab3d983fb4fb58e5676da9832ca836455eee092e15daf35a12f72c665b8b2e5872c54f1c7c958917ff48e3d07197cc1d393f2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\searchH16QQ7FC.htm
Filesize
117KB

MD5
280a434496e66909ba4b62656ea9ed5a

SHA1
b684ee729c350523039b2ab6a54c3fc5e36b407c

SHA256
36e270c68441c82842a9c563c16d867371467ccfd6738944b01aea076916238a

SHA512
4315127b47508be3c5365916972307943d167f3fb5dd32237605329b246aa64feef7fe7502ac8832fc9e5a794649c3daef2b4ba11d7269e3258a26e2bc41a633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\search[2].htm
Filesize
138KB

MD5
100159f5199217574e2e21c3ffeed52f

SHA1
f5cda7c3569447dc03cad82f7329d40e171c77f6

SHA256
03234dbb9a15449c137f77e9f15c2114ead226befa1dcfe365930f0bd14403a1

SHA512
5db8faa7e239f6ec9e55395109a3b1c1c5ee03e5894cb5faf5dae45e0748a96ee7660a58a9261260cc8903cb57adc14dbb0c5fc4dcd4faca3f2e081023992ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\results[1].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\results[4].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\search[8].htm
Filesize
159KB

MD5
de7fb88182c6bcda574f4333f8ff1b18

SHA1
71521199a5ce0e84ef170a725cd536b816bbe112

SHA256
7eaa49e5a5ab22f946a447412830fdb32a63ad6f651162283cd17aa670aec9f9

SHA512
674a513b92f07c12b6be654abfa981baa095e9862b5ef248703b99f21090ba20fd1ffeecb8d7dbfbfa64a757a998fea28acece4075f1a665fdae84afc162eb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC0A.tmp
Filesize
41KB

MD5
5336b1c68720e0a09bee6a6d92b537b4

SHA1
01f7abe32faf1d4ef07f873e999d7c40aafb569b

SHA256
1221bcedc2d5fc624d9e14139eb8bcf587f8e2a7a76906a153e1a0e0b837b005

SHA512
abf7aa3731fd622656588cc56eb006b523f31fe74f1754ed6daa79349cf5f0dfb55732937153d57715700db90a0e693f68b3e8a4fa77b3ea72a4a03ed0b4db78

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
20d37a19c4f09b720e1d170ce5d3d1eb

SHA1
55e109b316f81c86529db1aa7a1d255c2b2f29a7

SHA256
2c6ea8f9ea4670cd921bef76516c8ac62e8cc04bbc8e2c98f13ce98bbb5ac2f3

SHA512
44dd5d32e7b96c0e17961559d79d9283eddce2682047759d78d19e8ff5d6883dd69c68422ea8170e57b526eb5a1db33d7687e6fb4198b7dc7ec2f85c320ec850

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
02556a8b4d85dd52bb6039c512969943

SHA1
fd022894a5369a2c2885edf1234e3e65b7dbf184

SHA256
2de04041cffb7d39709f7c5bf0494f38bd90c9f5c63e2098988a9a4ff221d1e8

SHA512
914127cd0dc632f54264caedd421f62e0561f179853dee23377ce105f521e413b4f4780e690883ba632a62aaef6df9181551c68913947fd58e4bf636ce9b87a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
320e329869cb582dcbf8ab1f121c357e

SHA1
76b2df980689c48f4ecdb3bd3924bc245975a307

SHA256
d3818420966734090073d75c2c364526b3eb61008e774554b8c62488c832cb94

SHA512
b35c3285bcdcb5ffd9e7686b971513ee07bc91a739c8bf50333634ad71a22654718ea297e02ce2f631183f610918f01ea08bc0ccf2244c0e76292fd0711e502b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2208-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-282-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-102-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-430-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-277-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-284-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3168-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3168-283-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3168-276-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3168-245-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3168-429-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3168-42-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3168-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3168-101-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download