Malware Analysis Report

2024-07-28 10:41

Sample ID 240616-a7b55ssclb
Target c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe
SHA256 ecae9c306eff175c4c38a1da54416fddc4161f859ddcd24b66cc7ec8bd098564
Tags
microsoft persistence phishing product:outlook upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ecae9c306eff175c4c38a1da54416fddc4161f859ddcd24b66cc7ec8bd098564

Threat Level: Known bad

The file c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

microsoft persistence phishing product:outlook upx

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 00:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 00:50

Reported

2024-06-16 00:53

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3776 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe C:\Windows\services.exe
PID 3776 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe C:\Windows\services.exe
PID 3776 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
N/A 172.16.1.182:1034 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 172.16.1.166:1034 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
N/A 192.168.2.12:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 acm.org udp
SG 74.125.200.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.10.10:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
N/A 192.168.2.12:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 23.63.101.171:80 r11.o.lencr.org tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 52.101.10.10:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 65.254.227.224:25 burtleburtle.net tcp
N/A 192.168.2.18:1034 tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
TW 142.250.157.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp.acm.org udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 85.187.148.2:25 mail.gzip.org tcp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.194.16:25 outlook-com.olc.protection.outlook.com tcp
N/A 192.168.2.10:1034 tcp
US 8.8.8.8:53 lists.stanford.edu udp
US 8.8.8.8:53 mxb-00000d07.gslb.pphosted.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 67.231.149.169:25 mxb-00000d07.gslb.pphosted.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
GB 142.250.187.196:80 www.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 smtp.gzip.org udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 coloradotech.edu udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 mx2.hc3950-10.iphmx.com udp
US 8.8.8.8:53 hachyderm.io udp
US 216.71.147.46:25 mx2.hc3950-10.iphmx.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.27.26:25 aspmx.l.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 209.202.254.10:443 search.lycos.com tcp
US 52.96.222.226:25 outlook.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 192.168.2.13:1034 tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 tcp
US 209.202.254.10:80 tcp
US 209.202.254.10:80 tcp
IE 212.82.100.137:80 tcp
US 8.8.8.8:53 udp
GB 142.250.187.196:80 tcp
US 209.202.254.10:443 tcp
US 209.202.254.10:443 tcp
US 67.231.149.169:25 tcp

Files

memory/3776-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/224-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3776-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/224-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/224-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/224-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/224-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/224-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/224-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3776-37-0x0000000000500000-0x0000000000510200-memory.dmp

memory/224-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3776-42-0x0000000000500000-0x0000000000510200-memory.dmp

memory/224-43-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 44147e30f19429158696b408d898e84c
SHA1 93717cff798514afc168607747f884cbf0994b82
SHA256 6f7a6189ff9ea66e8f11992da570770b4884e4f610aae1bab54315471a4e951e
SHA512 9896fc28170a0f5cffe203bf95c9c70e19d58067854faf286353c8f20b14c9f5ec267e65b3bcfcc71034c4ca2d7c3171924b0373fb74c227babd18f060a47934

C:\Users\Admin\AppData\Local\Temp\tmp93F1.tmp

MD5 5550a7488e870be6e9f502752fb90532
SHA1 1767b97e9933491909034795965610d723d0e991
SHA256 da2e8b26f98fe9a23134799853f2810d60e6d04eefeeb6214625a6dba1bebaca
SHA512 cc87de8bf9ee3c2fb1374383d5c036dd7da048e227b4cd7db7b7b4479eb53a1d0b3e65cdef9e8d6fca680fb330b6ff05ac833d679b8c8aac3ba6b5fae4b26e4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/3776-161-0x0000000000500000-0x0000000000510200-memory.dmp

memory/224-162-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3776-163-0x0000000000500000-0x0000000000510200-memory.dmp

memory/224-164-0x0000000000400000-0x0000000000408000-memory.dmp

memory/224-169-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3776-173-0x0000000000500000-0x0000000000510200-memory.dmp

memory/224-174-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 0a0f2191aa71cce6870024a782bc4999
SHA1 78437a583e013c27ba3f6194ccd5fb2525e75167
SHA256 02733a4a21b98d78ca9873ff8aa07130ca225eca3b1be63ff749b2ad66765f95
SHA512 7c6b13d266a91c41db1ad5cf11f8751dd1c3363b2c3f9e1f94cba1eb17e7edc2a893eec0403a32e4cec0bc45924f99057afd3031f3c099e8f8354799ad32799d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\K2NJS7SI.htm

MD5 91830ce19c3f97df7f671fab09d7ac4b
SHA1 480fdcd41ac9d6c04521e534d0333433a9528d99
SHA256 c451a2f208f7275b5c1499b66f7bd7433d700efe9dc1c1f80656fed7726f32c2
SHA512 950f1c151b6fa18be66a7f9b099944e0e3cf3213746a044fefa9e5ad310648b15b0f776a1b710e64bb4f4cd961191357d8cccbe2944a24f1bf36e858b86e7e14

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

memory/3776-251-0x0000000000500000-0x0000000000510200-memory.dmp

memory/224-252-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\search[6].htm

MD5 6075d1e85779706c6e206bd290858421
SHA1 48fefbb8f61c5c4c6b7b3ec5c543d7ff12ca5720
SHA256 8d29f5db3978d98bdb7dd421e433104c0ce8b3ed0ce4751fc01872d3fa181699
SHA512 7a971e8be47b76448c2ddbd36af333205a372a38b661e35b88cab9039532ed26b4b14a9d3054d29914973355293bbf0cd5f9b4e084fddfdbc0c3783ddf9ecd83

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\search[9].htm

MD5 c1fbf6271ea25d6115a745e28a1f51b2
SHA1 bde5426d24f6fad9bdcb5b9cba9709d129836d12
SHA256 781c6756bc7b7bb8e5a05995dcaf4730ddcda1aa8a08dc3e339c6f9e2df35caa
SHA512 e71d60691b878423624c2db7a1674962eead14b7805c28fefef26852d2fd93e49b47edcca0f05fd00397663402b39c00015e848a042fdb9272b733d86f1070e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\searchRBZVXDUJ.htm

MD5 3a9b9222580c5349f895b7798dba0275
SHA1 33fcd83adb407ce5c54b01d9b91a30aace5a0d08
SHA256 faeda10ce2e2cbe3d5487e178b7003397c55ed42e883dbaab1171b3d5ff5537e
SHA512 8a8c3ad3783c98f146a709e2b4c8e8df150300ac29c78328d372bf8a1ae0b114412f0fc623d6e1cfad4acd0010fbe5283a32c3ac451ee3fca133ce36152a0506

memory/3776-419-0x0000000000500000-0x0000000000510200-memory.dmp

memory/224-420-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\search[9].htm

MD5 796ba45c7205476227e249d19f13809b
SHA1 294a823972478a309a22170be305f064c7110b8c
SHA256 303ca543aba033b8b0a66d7c62580180e838f086734be57a8ca8d6f08c9ad2e7
SHA512 57523b3c00aa5d8d611cb663bec5ebaf11995c33537efa528ef515aa8f5dabc091c62ea047e26533fae9a1d11fbadf36cb65a37701b5828a36558bf8657cb7e5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\search24IPXUKD.htm

MD5 71320100b22868d64d0e24d45ae019fe
SHA1 5a6c7eab43f56913bac60295d4728b2b764e4b61
SHA256 d61bd93d6ade020d87d55775b0a4d81404424bf13a1d1eb8f99a5c6e0a51d85a
SHA512 9e9821184a5b14afed6765ee62a14d22b684650d6d24bda401c5a35f681ec68fab90ff00696dde84e01a2fae87ee23bdfb8d5328c340d26851ebca0dc0676fee

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 230be7e612eddd73a2ff902f8d970495
SHA1 c01cbf3624aeeda9c9a7109615628c395f3533f6
SHA256 211ba3912f9114d65b4de107d3ef0cd8d6f7e074788888e90a7768fbe2c2669f
SHA512 36deb8b00f40a2f22c76e27520e777fa83a1ad629d461a26b4acb7efe03ef0de819881819746f3eac34ed917f78af99da282bc73671b1ecb41f15bfb6f563e5e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\searchV0UJ5MHL.htm

MD5 4b83345caa8db8d10a5bcd58adba022d
SHA1 32221dd2ca8677f65bfb90b762cff3f52de36c3a
SHA256 505fdad4f1c418337fac077cfba7411af7855970af3b3a90732d46b72a9c8e5a
SHA512 86c70f34b704385894d2d62062df07dada44d67c6c2e41db7e432681b59f40fb76acd9bcd091a38eaaa481a8970aa1ca62bdf6f7a4ced04ac457d1a04a057491

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\default[2].htm

MD5 c15952329e9cd008b41f979b6c76b9a2
SHA1 53c58cc742b5a0273df8d01ba2779a979c1ff967
SHA256 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA512 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\searchOBD0JRWY.htm

MD5 5a919c244746fd469332ade5cd0fbf2e
SHA1 093db588fc1b6c3b3e1903911cdc9039834f5461
SHA256 fa4ab9e484bdd6b31bf15ddda7a86c0eac65a7b59c6457a0dc059e87204b65b3
SHA512 c1fd46e339f567ea2a4856324e7e730101a6570d0bcf4e06a7e353f35456cee83d6a64973e306ea00043c3e491b09ca7961894ea4c62bcf4df9ed4c4657cd131

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\searchYS0X43XE.htm

MD5 87c736e8d1778a6b4e71e32b734da181
SHA1 a676eb734de1e940e96274732998e7b0e2d19ae5
SHA256 041f00c69ac87fa16ed8d227797b1414997fe8d5c5df56db25b58ff95ed70307
SHA512 86dc33550cd6aeaafdf2d3276ed9dce1b7de6936da5a1553bcfc103df1e5b0bf7e2581f4acd15e28d026135eb75739b69bf86a724863d44a8b7df1397aed4437

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\search8HLTXRH0.htm

MD5 bdb06ae4554c8981944fb425f49ba5fd
SHA1 5416c1a049c960fe3043f61600ecfe7b2f4e3823
SHA256 8933b9517090f09ba3883998ff5574f8164bd6a629b3cdd27b19123353c07870
SHA512 53418e02d0aff08169a1dd3ae326bdd57930d7610210094c636d2180d9b9035b6d10ecba4e2d775f90193312b38867729c580a897e179f212c5109217e6dbadf

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 00:50

Reported

2024-06-16 00:53

Platform

win7-20240611-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe C:\Windows\services.exe
PID 2292 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe C:\Windows\services.exe
PID 2292 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe C:\Windows\services.exe
PID 2292 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c7a12c5b4b33caf85bb82d9b5fa50270_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
N/A 172.16.1.182:1034 tcp
N/A 172.16.1.166:1034 tcp
N/A 192.168.2.12:1034 tcp
N/A 192.168.2.12:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.41.0:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.18:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.10:1034 tcp
N/A 192.168.2.13:1034 tcp
US 8.8.8.8:53 udp

Files

memory/2292-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2292-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1752-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2292-8-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2292-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1752-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1752-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2292-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1752-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1752-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1752-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1752-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2292-42-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1752-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2292-47-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1752-48-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 4cb1e33436057bfde326c4e9bc9777bf
SHA1 c89c1db081ca40eaaf8c1f49db1464e253a7caa4
SHA256 658ed2789373a5b21710c33ebc2c901168d7223a52fec6d3c50036b78c6611a9
SHA512 ef2a84ebbe182c55d4ad525c2b417a540e97d21577cc936a9568863b9c53156b9107a95c249738ba5514422c3500de0b1171629147e7e5159807dde5b4626b4d

C:\Users\Admin\AppData\Local\Temp\tmp65A6.tmp

MD5 4d3b5dc8c601586da3f1c50ea8d11a71
SHA1 d7394a7b7f8daf8219d336ce9953642043d34bb4
SHA256 74cde6cceb880c1955a384995eac802730e4122cf6d6ee390a693598da8c6bc6
SHA512 307295ea325f81c0992727348a6f4b70753c9877f363093ea13a5405fcb37f08a27e73be2efad3612a2fd9489741aacba7cb84136ac0cbe13d703136f5c11148

memory/2292-65-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1752-66-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2292-67-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1752-68-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2292-72-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1752-73-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1752-78-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2292-79-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1752-80-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1752-85-0x0000000000400000-0x0000000000408000-memory.dmp