Malware Analysis Report

2024-09-09 11:08

Sample ID 240616-3zns7avbkc
Target 209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe
SHA256 64e5747c70173dcfc7852dc43e569435e76ee1fb7313dc710118cfda7e041d35
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64e5747c70173dcfc7852dc43e569435e76ee1fb7313dc710118cfda7e041d35

Threat Level: Known bad

The file 209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:57

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:57

Reported

2024-06-16 23:59

Platform

win7-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
N/A 192.168.2.12:1034 tcp
N/A 192.168.2.106:1034 tcp
N/A 172.16.1.108:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.18:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 172.16.1.4:1034 tcp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.google.com udp
US 209.202.254.10:80 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 smtp.gzip.org udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 r11.o.lencr.org udp
BE 2.17.107.186:80 r11.o.lencr.org tcp
BE 2.17.107.186:80 r11.o.lencr.org tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
DE 142.250.184.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
N/A 192.168.2.105:1034 tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 icloud.com udp
US 8.8.8.8:53 mx02.mail.icloud.com udp
DE 142.250.184.228:80 www.google.com tcp
US 17.57.156.30:25 mx02.mail.icloud.com tcp
US 8.8.8.8:53 mac.com udp
US 8.8.8.8:53 mx3.mail.icloud.com udp
US 17.42.251.62:25 mx3.mail.icloud.com tcp
US 17.42.251.62:25 mx3.mail.icloud.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 tcp
DE 142.250.184.228:80 tcp
US 8.8.8.8:53 udp
DE 142.250.184.228:80 tcp

Files

memory/2348-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2348-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2408-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2348-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2408-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-34-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2348-40-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2408-41-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 ad8b65bc5b65271e71e7b0acc46485bd
SHA1 afbf4baef1686a9af8f797a5d7f955ec4e678b82
SHA256 97ba2c7d15eb69612ac50e957aae8c78fa64963b9bfb79ede1bdb5f6321af654
SHA512 8bd0f69832f2000d1ba2e529ea174a499d7190c094bdfc07e9aad5d919d9e610c03e8954610dd979f7ea1ae715fbc91c67d9104314a063496c4c94991a6ee302

C:\Users\Admin\AppData\Local\Temp\tmp4885.tmp

MD5 f07601af93f751b05d37d921c55d32bd
SHA1 eefbe1b93b1c2bd09e2f005892783de5dc7147bf
SHA256 78b40d648214001f707b27ec2022cf25a8c9289c409bf4d0977ea0775f77ae71
SHA512 5c856893a56e537d35cf52eb175e7d8621932c5756bcf518016ed299b7f28468b779fbecd3afa63159890606ba7d6ce668fc5122c961faa5044cb41c9e51ff65

memory/2348-59-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2408-60-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2348-63-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2408-64-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2348-65-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2408-66-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-71-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2348-75-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2408-76-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-78-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2348-82-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2408-83-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 adfab49057ad060ec1d80966ad02df18
SHA1 3a7f51688f16086cc9a71c4cf6114c4435e3927e
SHA256 4355c06fa21959ac161a766787d76b712f26a1d7c3e81aa52d6ab9b010b9bcb6
SHA512 19a55c6132d7804850838c0e3c5a8d0c50812c79644fc3f706e6ca13a757caae7a2cb9952ddb2ffefded1aad26512be77a5851222444fbed79494eeb394d80ab

C:\Users\Admin\AppData\Local\Temp\Cab4E87.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dadb47837b9e55392a5707318fba7e7a
SHA1 b0015602ef59d394e250c1d96f0774e993bdabed
SHA256 9d7a58506a3b659c030d562479eee7190e4d54759bffea57aa30e13e8e260196
SHA512 73f1d0a0f3762bbebc08a9fcff375a181423c4f88010b46d283ce587687d8fc0394a69f0e7621a0bcbe591585b6defa64f24cc4afecfcb2d2d2346ec850b515b

C:\Users\Admin\AppData\Local\Temp\Tar4F49.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 595d0489de4d349c76e3a49acb8cf762
SHA1 26014274367a7d2fba8021583b50c2a137439b62
SHA256 a4d2ab4891b41e997802c9fd5e1087a5a777222034643abc13ef92e7376b5f24
SHA512 5d13121d9e371a80f2387c69f672421cc6d0201480342ab2f6d2b632be10c91bbf2ec64458ee6b57a1000b3d3c70ef8706b03555bad8963ebb4a63cf198e0888

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FY3LN490\search[4].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1M46YZP1\4DMWVPL7.htm

MD5 7d4cc169b2ebd71fcb4e59ace517a29c
SHA1 2a541abb00db5db0563fc3fa296472e86abfca6b
SHA256 a1ed45ab3a75cad8f65895568c401b24ca8368d4689bc201b50f45d326b068cf
SHA512 7beac9ff2e76d76d73a3e3bbe96f0a231ef119c3d6599b11dbcddd7ac7141b8d3d1d7cf052be2197675dfb6526708c4d666782301af034495c0361267e64e87f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:57

Reported

2024-06-16 23:59

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\209f8f186cc8540de46973853bb290d0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 192.168.2.12:1034 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 192.168.2.106:1034 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
N/A 172.16.1.108:1034 tcp
N/A 192.168.2.18:1034 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.9.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 www.google.com udp
DE 142.250.184.228:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 228.184.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
DE 142.250.184.228:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
DE 142.250.184.228:80 www.google.com tcp
BE 2.17.107.186:80 r11.o.lencr.org tcp
DE 142.250.184.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 186.107.17.2.in-addr.arpa udp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 52.101.9.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
N/A 172.16.1.4:1034 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 mx.acm.org udp
FI 142.250.150.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 8.8.8.8:53 smtp.acm.org udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
IE 52.101.68.14:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 email.com udp
US 8.8.8.8:53 mx01.mail.com udp
US 74.208.5.22:25 mx01.mail.com tcp
DE 142.250.184.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
N/A 192.168.2.105:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
DE 142.250.184.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp

Files

memory/1828-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1600-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1828-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1600-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1600-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1600-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1600-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1600-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1600-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1600-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1600-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1828-47-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1600-48-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 93bf005297f158f4b3489cc04f195f2f
SHA1 161e8ab79556bfd3c956aefc510a3fb655830370
SHA256 1007673d393fb8cad214f078867a46190fdce34e8208b8ed0d3bd3449ff051d3
SHA512 25b4ffa0ab1273ca76c2e90087e589ca96504a9ca5a865916db187e2d996df7a801efa4a711ad40544ea8929ae7a1c4a81a34a80984885b2003de167b4f9fe2d

C:\Users\Admin\AppData\Local\Temp\tmpC58F.tmp

MD5 5849fc2a20cae525d359ff59689a4cd1
SHA1 b7d475a1038e83ecc7b5e86b8e6114c3d685ea22
SHA256 b3eece076f2f606fd253781971a625667e9a6e57e9da9c9182258edcd03078b6
SHA512 64fcd8c683efff5038f0aa42bb2acb039cfb1ff4a392a79fcbb2605595c7ee1944dd5c23af245d5be46ff95aac31c46e2f22937a87d84cdea4ade4b7af9a932f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\O7SGRKY5.htm

MD5 2ce3fc3e7c8af74e824891fd4c22b602
SHA1 dfdbdca6283bb1105f5eb633f355a521208f57d4
SHA256 ae876ae46de909142f188f71b597e8c10d85b72979ab56a65b8216f39db81b5f
SHA512 5da3e693af31ebea0441af543836dcca8c7f07810ca7da7c3ffdcdf65372bb457df26b1c8759c35ee90936ed4b950565c884417568f58b5523aafb48a4ebce64

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/1828-186-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1600-187-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search[5].htm

MD5 014cfdddfcf055495cb31fd19fb3f875
SHA1 e6e97f9bd7ca7465b8ab240ff05f9ef3ae845edc
SHA256 d2a90e51db2bbf2f5d5695da81b7082785d9fd21fa77dbb70da16989990d1c65
SHA512 c6509b4e1bd8b33b4e782c722dfe535ac9692aa578db673b4f2e31ff9c157a048f5f79da0faec1de534e859474fb300620940a7eb81713a5031b703536e1dcde

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[7].htm

MD5 d8ac11dc6159aeff13dfbc45ca8ae2cc
SHA1 50ca361ffccff3622afcf412e7b90b15e76f009e
SHA256 2ea4b07d6e2a89afb1ceb6b5005b1b6d65360e1bc7eeab69a01c6ab65eb9ebe6
SHA512 82811e5b6c2a9ba787b41b7019d488c8bd42207429b86977858bb3a06d7ae2caf0c1156d8d5177ed3e50dced0cae1c6d55d8e7e5b1e188b425ccf6f62aa3bf6a

memory/1828-271-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1600-272-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1828-276-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1600-277-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1828-278-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1600-279-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 a38798f685389c4ca5f342a618e73ac4
SHA1 3d07624dcb1ddadd95a35d61cc09d1cbb17909f9
SHA256 4eec2d592bd289170306098dc2700310784f6230ed7dbb037844f1635c57ddd9
SHA512 e0be1f90096b4653b4ecfdcd281230320357b48f9ebcd03b68d579f12f181ccfadda96c72194b01372e12bfc77a4c42f9a90f1d93f18c2d0f5d28ff4fb098ee7

memory/1828-303-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1600-304-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\results[3].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[10].htm

MD5 d5c003dc1a129cebfdfcc8a4aeadf237
SHA1 0daa161e667e4428431dc1c717eee998e5d27c26
SHA256 94c3c114688eb94ffa846553def6c85d7fcba4b1d806f84cdaf0abf795b28be9
SHA512 7c3d45b8ef49ab403a603b5e8ff9146467c7baa801abc2b802cd03512d6fb4532f03f6f20476a81415829f6de095ec0ab8632a5f24ac52ec71844fc40837d4fa