8a646c74280bd7fc913001a7f8ecc532fdafad5ea0c41f6408882efcdc971077

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe
Size

41KB
MD5

d2e12cd063c33317ede03e1b6eea9ae0
SHA1

c8454ef94238d62ff98cea6d645230163c6d0e6a
SHA256

8a646c74280bd7fc913001a7f8ecc532fdafad5ea0c41f6408882efcdc971077
SHA512

2ef1c2778860f784bd3db3457538371c0def37e3040f6e2bd9da749bf8f4f5a25ee4318a2b2920517e89bc92f016c222a7e9b267da9ffdf6e11285a6d152ce7f
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2388 services.exe

pid	process
2388	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3460-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/2388-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3460-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2388-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2388-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2388-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3460-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3460-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpF2E7.tmp	upx
behavioral2/memory/3460-218-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-219-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3460-292-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-293-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2388-298-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3460-299-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-300-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3460-317-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-318-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3460-319-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-320-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3460-374-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-408-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3460-500-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2388-553-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\services.exe	d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe
File created	C:\Windows\java.exe	d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe

description	pid	process	target process
PID 3460 wrote to memory of 2388	3460	d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe	services.exe
PID 3460 wrote to memory of 2388	3460	d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe	services.exe
PID 3460 wrote to memory of 2388	3460	d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\searchI5XDFQSK.htm
Filesize
149KB

MD5
21223154f1930ebbd553ae53b96ddf89

SHA1
3117e5e00d3f01fb99f8210220db92965ec84c3f

SHA256
9414c4c2a7cb7b781caa07eb2deb04df206fe8bc6a4a45d387b20e3c4cfa3058

SHA512
cb154bda3be5ee0c9f115e816102f2adbef5150a99a480108bfc569b35ae06a8daf7501bff633c55059fba24c8d772163e85f47b42b82298f1bae142ef728b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[1].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\P6419TWY.htm
Filesize
185KB

MD5
bbea0c7f1d3204c7747339830e119011

SHA1
0ca84c33cc97ea931c0556ef627595abfa24f04a

SHA256
b8506e5c37c73348b34fee422d23aa04a6644d5a11fa9d2f7a42d37e56d65bdc

SHA512
2417a0e7f71bbbe31afe6b979203bf1e4b063a724dfa50d697b64a65884654c8d21ff9e4e66eb9fe5cbdfd01cda9823bef004724b0abb6e654b7d2479cea59ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\results[3].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\searchV6LL2P5J.htm
Filesize
138KB

MD5
9154cf55f613148d59d3e3170edeb432

SHA1
f3bbcb5e9eb9551dd0996444686641cb1ed950d7

SHA256
25cbef9672e89f42328bbc3d22e6d681fb57d50796340bfaf92042ed4309c90a

SHA512
10b08d01c6ce776b29b88f7ab0aad1d208bab70b090c6604db6816caec37dfb1eccc45eaf656185d854bb772df1a9574be5ac71feaf95a2c4a2dc2ee7bb4eb15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\126N07QX.htm
Filesize
185KB

MD5
d7d8905ad025891100758c91b4fd3d13

SHA1
295f01c5d78bdfea68c47e01fe849903f5893c7b

SHA256
c4a72378f997a33ed2ce1057261c8dd0a383842db6070f19c80ec9c567a3d58d

SHA512
074f670559723b904bd486600469fda580607f39e83374516674daf46774a464cf4a21fc20613fb3868b27df44a6ec69b1ca9bc14ec5c6202a03979d4cf3aee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\W1H4WTGN.htm
Filesize
185KB

MD5
1bcf50995fba571c1deee032e2028235

SHA1
a261f384f6700473bd2933d851d83f8b5b74cb97

SHA256
0b96d54b3acc93c252cde0a2ef76af95aebee8545cb132beb4a7e3e54dd45eca

SHA512
727345086584a21f7fec6ee66650ed497f68c96c5c6b14bf34774901773a08a3f939303ae2d21c1ded4065ed218cfab3fcdbc12c6af5ee7baf21c2a32d6fea0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\default[1].htm
Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\results[4].htm
Filesize
1KB

MD5
7a332319b4c67a0c2b49c9fb95a8b533

SHA1
a73a00ba83953575917a2060c009253fc0db93c4

SHA256
3c0cf785ae4898fab36c8e6e6d1ff44a1b980db0216539cc895157efe273da2d

SHA512
e057941f8e9e7f686dda89bd88a6781bdfa6d7f4545c3ad185ebf0a9828b29789f91a616f5eabe0c7c1cdfd9dfa46f443564e9cfc36de6b04f03dfd6ab67f100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[1].htm
Filesize
115KB

MD5
f85653b36c596fea4742a389e49c10f8

SHA1
c3ad1460c4a74b29f4153bcf62a4f9c0238caaf3

SHA256
2e2e4689f55398e7c1018c273beb403e067da30259bd8f450ddbdb982bfa7e82

SHA512
04779aa13a54d4bdafe1f401ec78a25ec6737e876d8030ca24185507663f79f81cd157c22f7ae1b905c6f14ecaeb08c1cd6ecaf2db18822b0d840d932abce860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[4].htm
Filesize
112KB

MD5
050ae4524a093a52702520faba7e698e

SHA1
2fdbcc2af1466369f26dffde14ed0d2f96c500a7

SHA256
d51126b750ebb4ff7bbf8ae5e09208bb3dd9de731210a0381e812be05ba012f1

SHA512
55a241c99069928769c4244712eceb70c7f1a282d5e825b352fe631cbd8a439c46e93ee6187734e60a7f5bad3f2e204e8018560f2a9365bf03f663d3908ccd28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\ZA17JAYC.htm
Filesize
185KB

MD5
431726b2c6bb166c6b5baccbff5b4314

SHA1
e97dff7a5ec68369524db9f56d43bcc025776425

SHA256
a0414255bcbbd97736eeafe738f1d0ccd81c0605d0796b4b90c9f114ca5db0df

SHA512
eb326b546678346d6b8022e5a87767d926283ebba8d86cb45018f03607813ddae3cb50570cad466a7cbf87edfb347e80052eb4f4ead5aa0cb7489eca5dc16346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[2].htm
Filesize
159KB

MD5
d61fce3635f4cf82829485e9d5cc216a

SHA1
f5c4f658e3b41f46822e52f701fc35e6cf02166d

SHA256
81f1e4e64c3af987f1e496ef5df612a1c613c47e8d3380cabef0747b789eb24b

SHA512
ae3bcdb8e3bf5c69141fd91b683ae5b3847d8a2ce8ef79a3c8647cf63a6ece28f60f3356c62a0d9bf9b16db6fabbf1fb9818cefb722e191b5b42d0dd84ca329c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[4].htm
Filesize
136KB

MD5
6e575975160871d029dacffb9bcbf2c0

SHA1
88826f96301325b1fcdb32b4fade2f842f79978a

SHA256
8a451b9444f516b986a3d32a8c9ef6c9000895fa691464e22155840eae6ea989

SHA512
6da005f72c604ccfaeafff07526a2e94b00078d58a0b805044c4c5eb0b65bc20e04e26ebbd4c67cceec5a2bdba3f68e7f6cc2b6c925382b232be49e68955fbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF2E7.tmp
Filesize
41KB

MD5
09b5375991c45ac5259a598bed8906c3

SHA1
e2c76e0c7a552dc0f457087401346b02d580e5e2

SHA256
880f8e1d5f9cca3da145a1c474cf238ad0a10caf8f403b34d6fd16a3d1c1e530

SHA512
66d5f661830e8d5897c0dc93fcb7f001e7e0bcd8ff6a47b05f204826ef13179a5b5241c4b9781364754fca7ae6c4f2ffe8a7fc7a181930fc35bd38c2d9449e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
56d81911d3e0db9a27f313502824a47a

SHA1
451022dc4de526fe3413effaafc31061b708ef45

SHA256
98d9496275e2e9bfd88405de299525e234420dd3bd19492a5848f90cfdf6c9d7

SHA512
e02fbfc277ad1364456f89c7dfb44ef0b994c0aaca3e33fbf7cba78ff4d59577388a4dd0ecef6899a380c74dd1a0fe3d84c1b20f1869a349a92f75242e4b3190

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
c0ed4a48ed8c9453b25787c49ae78164

SHA1
8a6fa093167e3fd850615b44cb0b1154579bee07

SHA256
1fb1b428595b88a403bfacaa83ce73fd0a244234d63d5a39b242713943164683

SHA512
5778e1bf53908b1b6f9282891547fca20fa580ea3eb1b715da2c71d0bc3416e804818dc9c979b447cb0b5f3e9d625733e4b87c3e45b301b70beba98c8494c620

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
b9a402b41edb1343c7ff31f9b4a06be0

SHA1
f4d90b3d0acf7f48d592780dff4374d8301c7c5d

SHA256
315f3b63e08e09b3cc615e6549ceca5857587a01f5e8275d6cc78e798baa9d95

SHA512
eb3dcad6141a8d5c3664bddba3c93e78def7eb009daf74178163b7130caebbe22f51a47ac7872512072f9f83302bc046dbe7fcf5c07ba809505a867cd86df275

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
2a731402fd10248a88775f56648ce5cb

SHA1
6fe753b99c9ee12d9268e52aa6b3ef58e035f7dc

SHA256
703fed39d672191af91a7909ceab6e189cd0b30cf8a8c2b7659842b450dbcdb5

SHA512
743b4894588b175eeb79d00cb22a299d001428c049d5c378e3b525a3905752e54fe04097890d56c062f8d1b534cb50b9a7d1639c406a482d459cfde3a49b499e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
12KB

MD5
49e41d13ad1a69419445d22bbf60ee62

SHA1
225fb4dbda3524376970b509b5d5ece14ace84a7

SHA256
4bc7cd04048750f0aa7c9066e6fb217ab1d5d3e350abc05d407273c9ef5e6095

SHA512
cc46ce0fecd321994fc7175da23e7301959a3ace02a8ae2fe838046a3f8d4884fe9aa17cf27c4fec26a2493d54bc3d3d243c9240f01fdadd48cc7939c75d46e9

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2388-293-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-298-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-219-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-300-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-408-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-318-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-553-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-320-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3460-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-319-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-374-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-317-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-299-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-500-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-292-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-218-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3460-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download