ecae9c306eff175c4c38a1da54416fddc4161f859ddcd24b66cc7ec8bd098564

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe
Size

41KB
MD5

c7a12c5b4b33caf85bb82d9b5fa50270
SHA1

44ce146b0f4cebc3e637ee589b1e5c3084a11a11
SHA256

ecae9c306eff175c4c38a1da54416fddc4161f859ddcd24b66cc7ec8bd098564
SHA512

f17534f9e33c19f69ae2cc96b0f24cca0d372778bdd17ccca1649fbc5066a39876492a4c0ad6fa05f3cb0a074f09785c0f737ea804946c5a9b109f45a1244fa8
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

224 services.exe

pid	process
224	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3776-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/224-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3776-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/224-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/224-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/224-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/224-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/224-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/224-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3776-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/224-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3776-42-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/224-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp93F1.tmp	upx
behavioral2/memory/3776-161-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/224-162-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3776-163-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/224-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/224-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3776-173-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/224-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3776-251-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/224-252-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3776-419-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/224-420-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exec7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\java.exe	c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe
File created	C:\Windows\java.exe	c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe
File created	C:\Windows\services.exe	c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe

description	pid	process	target process
PID 3776 wrote to memory of 224	3776	c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe	services.exe
PID 3776 wrote to memory of 224	3776	c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe	services.exe
PID 3776 wrote to memory of 224	3776	c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\search8HLTXRH0.htm
Filesize
157KB

MD5
bdb06ae4554c8981944fb425f49ba5fd

SHA1
5416c1a049c960fe3043f61600ecfe7b2f4e3823

SHA256
8933b9517090f09ba3883998ff5574f8164bd6a629b3cdd27b19123353c07870

SHA512
53418e02d0aff08169a1dd3ae326bdd57930d7610210094c636d2180d9b9035b6d10ecba4e2d775f90193312b38867729c580a897e179f212c5109217e6dbadf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\searchYS0X43XE.htm
Filesize
150KB

MD5
87c736e8d1778a6b4e71e32b734da181

SHA1
a676eb734de1e940e96274732998e7b0e2d19ae5

SHA256
041f00c69ac87fa16ed8d227797b1414997fe8d5c5df56db25b58ff95ed70307

SHA512
86dc33550cd6aeaafdf2d3276ed9dce1b7de6936da5a1553bcfc103df1e5b0bf7e2581f4acd15e28d026135eb75739b69bf86a724863d44a8b7df1397aed4437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\results[2].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\searchRBZVXDUJ.htm
Filesize
135KB

MD5
3a9b9222580c5349f895b7798dba0275

SHA1
33fcd83adb407ce5c54b01d9b91a30aace5a0d08

SHA256
faeda10ce2e2cbe3d5487e178b7003397c55ed42e883dbaab1171b3d5ff5537e

SHA512
8a8c3ad3783c98f146a709e2b4c8e8df150300ac29c78328d372bf8a1ae0b114412f0fc623d6e1cfad4acd0010fbe5283a32c3ac451ee3fca133ce36152a0506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\default[2].htm
Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\search24IPXUKD.htm
Filesize
171KB

MD5
71320100b22868d64d0e24d45ae019fe

SHA1
5a6c7eab43f56913bac60295d4728b2b764e4b61

SHA256
d61bd93d6ade020d87d55775b0a4d81404424bf13a1d1eb8f99a5c6e0a51d85a

SHA512
9e9821184a5b14afed6765ee62a14d22b684650d6d24bda401c5a35f681ec68fab90ff00696dde84e01a2fae87ee23bdfb8d5328c340d26851ebca0dc0676fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\searchOBD0JRWY.htm
Filesize
155KB

MD5
5a919c244746fd469332ade5cd0fbf2e

SHA1
093db588fc1b6c3b3e1903911cdc9039834f5461

SHA256
fa4ab9e484bdd6b31bf15ddda7a86c0eac65a7b59c6457a0dc059e87204b65b3

SHA512
c1fd46e339f567ea2a4856324e7e730101a6570d0bcf4e06a7e353f35456cee83d6a64973e306ea00043c3e491b09ca7961894ea4c62bcf4df9ed4c4657cd131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\search[6].htm
Filesize
164KB

MD5
6075d1e85779706c6e206bd290858421

SHA1
48fefbb8f61c5c4c6b7b3ec5c543d7ff12ca5720

SHA256
8d29f5db3978d98bdb7dd421e433104c0ce8b3ed0ce4751fc01872d3fa181699

SHA512
7a971e8be47b76448c2ddbd36af333205a372a38b661e35b88cab9039532ed26b4b14a9d3054d29914973355293bbf0cd5f9b4e084fddfdbc0c3783ddf9ecd83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\search[9].htm
Filesize
148KB

MD5
c1fbf6271ea25d6115a745e28a1f51b2

SHA1
bde5426d24f6fad9bdcb5b9cba9709d129836d12

SHA256
781c6756bc7b7bb8e5a05995dcaf4730ddcda1aa8a08dc3e339c6f9e2df35caa

SHA512
e71d60691b878423624c2db7a1674962eead14b7805c28fefef26852d2fd93e49b47edcca0f05fd00397663402b39c00015e848a042fdb9272b733d86f1070e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\K2NJS7SI.htm
Filesize
185KB

MD5
91830ce19c3f97df7f671fab09d7ac4b

SHA1
480fdcd41ac9d6c04521e534d0333433a9528d99

SHA256
c451a2f208f7275b5c1499b66f7bd7433d700efe9dc1c1f80656fed7726f32c2

SHA512
950f1c151b6fa18be66a7f9b099944e0e3cf3213746a044fefa9e5ad310648b15b0f776a1b710e64bb4f4cd961191357d8cccbe2944a24f1bf36e858b86e7e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\searchV0UJ5MHL.htm
Filesize
157KB

MD5
4b83345caa8db8d10a5bcd58adba022d

SHA1
32221dd2ca8677f65bfb90b762cff3f52de36c3a

SHA256
505fdad4f1c418337fac077cfba7411af7855970af3b3a90732d46b72a9c8e5a

SHA512
86c70f34b704385894d2d62062df07dada44d67c6c2e41db7e432681b59f40fb76acd9bcd091a38eaaa481a8970aa1ca62bdf6f7a4ced04ac457d1a04a057491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\search[9].htm
Filesize
117KB

MD5
796ba45c7205476227e249d19f13809b

SHA1
294a823972478a309a22170be305f064c7110b8c

SHA256
303ca543aba033b8b0a66d7c62580180e838f086734be57a8ca8d6f08c9ad2e7

SHA512
57523b3c00aa5d8d611cb663bec5ebaf11995c33537efa528ef515aa8f5dabc091c62ea047e26533fae9a1d11fbadf36cb65a37701b5828a36558bf8657cb7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93F1.tmp
Filesize
41KB

MD5
5550a7488e870be6e9f502752fb90532

SHA1
1767b97e9933491909034795965610d723d0e991

SHA256
da2e8b26f98fe9a23134799853f2810d60e6d04eefeeb6214625a6dba1bebaca

SHA512
cc87de8bf9ee3c2fb1374383d5c036dd7da048e227b4cd7db7b7b4479eb53a1d0b3e65cdef9e8d6fca680fb330b6ff05ac833d679b8c8aac3ba6b5fae4b26e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
0a0f2191aa71cce6870024a782bc4999

SHA1
78437a583e013c27ba3f6194ccd5fb2525e75167

SHA256
02733a4a21b98d78ca9873ff8aa07130ca225eca3b1be63ff749b2ad66765f95

SHA512
7c6b13d266a91c41db1ad5cf11f8751dd1c3363b2c3f9e1f94cba1eb17e7edc2a893eec0403a32e4cec0bc45924f99057afd3031f3c099e8f8354799ad32799d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
44147e30f19429158696b408d898e84c

SHA1
93717cff798514afc168607747f884cbf0994b82

SHA256
6f7a6189ff9ea66e8f11992da570770b4884e4f610aae1bab54315471a4e951e

SHA512
9896fc28170a0f5cffe203bf95c9c70e19d58067854faf286353c8f20b14c9f5ec267e65b3bcfcc71034c4ca2d7c3171924b0373fb74c227babd18f060a47934

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
230be7e612eddd73a2ff902f8d970495

SHA1
c01cbf3624aeeda9c9a7109615628c395f3533f6

SHA256
211ba3912f9114d65b4de107d3ef0cd8d6f7e074788888e90a7768fbe2c2669f

SHA512
36deb8b00f40a2f22c76e27520e777fa83a1ad629d461a26b4acb7efe03ef0de819881819746f3eac34ed917f78af99da282bc73671b1ecb41f15bfb6f563e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/224-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-420-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-252-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3776-42-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3776-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3776-419-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3776-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3776-163-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3776-251-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3776-161-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3776-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3776-173-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download