Analysis Overview
score
10/10
SHA256
8a646c74280bd7fc913001a7f8ecc532fdafad5ea0c41f6408882efcdc971077
Threat Level: Known bad
The file d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-16 03:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 03:43
Reported
2024-06-16 03:46
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
157s
Command Line
"C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe"
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3460 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | C:\Windows\services.exe |
| PID 3460 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | C:\Windows\services.exe |
| PID 3460 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| N/A | 10.0.2.15:1034 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| N/A | 172.16.1.182:1034 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| N/A | 172.16.1.166:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 199.89.3.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| FI | 142.250.150.27:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 52.101.11.7:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 65.254.254.51:25 | mx.burtleburtle.net | tcp |
| N/A | 192.168.2.14:1034 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| BE | 23.14.90.106:80 | r11.o.lencr.org | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | lists.stanford.edu | udp |
| US | 8.8.8.8:53 | mxa-00000d07.gslb.pphosted.com | udp |
| US | 8.8.8.8:53 | 106.90.14.23.in-addr.arpa | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 67.231.149.169:25 | mxa-00000d07.gslb.pphosted.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 104.17.78.30:25 | acm.org | tcp |
| FI | 142.250.150.26:25 | alt2.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| N/A | 192.168.2.14:1034 | tcp | |
| US | 8.8.8.8:53 | mxb-00000d07.gslb.pphosted.com | udp |
| US | 67.231.157.125:25 | mxb-00000d07.gslb.pphosted.com | tcp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| NL | 142.251.9.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 65.254.254.51:25 | mx.burtleburtle.net | tcp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| US | 8.8.8.8:53 | outlook-com.olc.protection.outlook.com | udp |
| US | 52.101.194.11:25 | outlook-com.olc.protection.outlook.com | tcp |
| N/A | 192.168.2.18:1034 | tcp | |
| US | 8.8.8.8:53 | lists.stanford.edu | udp |
| US | 171.64.13.247:25 | lists.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | aspmx2.googlemail.com | udp |
| NL | 142.251.9.26:25 | aspmx2.googlemail.com | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | smtp.gzip.org | udp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.96.229.242:25 | outlook.com | tcp |
| US | 52.101.194.13:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| N/A | 192.168.2.17:1034 | tcp | |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | coloradotech.edu | udp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | mx2.hc3950-10.iphmx.com | udp |
| US | 216.71.147.46:25 | mx2.hc3950-10.iphmx.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | mx.lists.stanford.edu | udp |
| US | 8.8.8.8:53 | mail.lists.stanford.edu | udp |
| US | 8.8.8.8:53 | smtp.lists.stanford.edu | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| FI | 142.250.150.26:25 | alt2.aspmx.l.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | mx.cs.stanford.edu | udp |
| US | 8.8.8.8:53 | mail.cs.stanford.edu | udp |
| US | 171.64.64.160:25 | mail.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | aspmx5.googlemail.com | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| TW | 142.250.157.26:25 | aspmx5.googlemail.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 171.64.64.160:25 | mail.cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| N/A | 192.168.2.13:1034 | tcp |
Files
memory/3460-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2388-6-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 49e41d13ad1a69419445d22bbf60ee62 |
| SHA1 | 225fb4dbda3524376970b509b5d5ece14ace84a7 |
| SHA256 | 4bc7cd04048750f0aa7c9066e6fb217ab1d5d3e350abc05d407273c9ef5e6095 |
| SHA512 | cc46ce0fecd321994fc7175da23e7301959a3ace02a8ae2fe838046a3f8d4884fe9aa17cf27c4fec26a2493d54bc3d3d243c9240f01fdadd48cc7939c75d46e9 |
memory/3460-13-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2388-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2388-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2388-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2388-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3460-30-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2388-31-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3460-32-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2388-36-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | b9a402b41edb1343c7ff31f9b4a06be0 |
| SHA1 | f4d90b3d0acf7f48d592780dff4374d8301c7c5d |
| SHA256 | 315f3b63e08e09b3cc615e6549ceca5857587a01f5e8275d6cc78e798baa9d95 |
| SHA512 | eb3dcad6141a8d5c3664bddba3c93e78def7eb009daf74178163b7130caebbe22f51a47ac7872512072f9f83302bc046dbe7fcf5c07ba809505a867cd86df275 |
C:\Users\Admin\AppData\Local\Temp\tmpF2E7.tmp
| MD5 | 09b5375991c45ac5259a598bed8906c3 |
| SHA1 | e2c76e0c7a552dc0f457087401346b02d580e5e2 |
| SHA256 | 880f8e1d5f9cca3da145a1c474cf238ad0a10caf8f403b34d6fd16a3d1c1e530 |
| SHA512 | 66d5f661830e8d5897c0dc93fcb7f001e7e0bcd8ff6a47b05f204826ef13179a5b5241c4b9781364754fca7ae6c4f2ffe8a7fc7a181930fc35bd38c2d9449e17 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[1].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\results[3].htm
| MD5 | 211da0345fa466aa8dbde830c83c19f8 |
| SHA1 | 779ece4d54a099274b2814a9780000ba49af1b81 |
| SHA256 | aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5 |
| SHA512 | 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[1].htm
| MD5 | f85653b36c596fea4742a389e49c10f8 |
| SHA1 | c3ad1460c4a74b29f4153bcf62a4f9c0238caaf3 |
| SHA256 | 2e2e4689f55398e7c1018c273beb403e067da30259bd8f450ddbdb982bfa7e82 |
| SHA512 | 04779aa13a54d4bdafe1f401ec78a25ec6737e876d8030ca24185507663f79f81cd157c22f7ae1b905c6f14ecaeb08c1cd6ecaf2db18822b0d840d932abce860 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[2].htm
| MD5 | d61fce3635f4cf82829485e9d5cc216a |
| SHA1 | f5c4f658e3b41f46822e52f701fc35e6cf02166d |
| SHA256 | 81f1e4e64c3af987f1e496ef5df612a1c613c47e8d3380cabef0747b789eb24b |
| SHA512 | ae3bcdb8e3bf5c69141fd91b683ae5b3847d8a2ce8ef79a3c8647cf63a6ece28f60f3356c62a0d9bf9b16db6fabbf1fb9818cefb722e191b5b42d0dd84ca329c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\ZA17JAYC.htm
| MD5 | 431726b2c6bb166c6b5baccbff5b4314 |
| SHA1 | e97dff7a5ec68369524db9f56d43bcc025776425 |
| SHA256 | a0414255bcbbd97736eeafe738f1d0ccd81c0605d0796b4b90c9f114ca5db0df |
| SHA512 | eb326b546678346d6b8022e5a87767d926283ebba8d86cb45018f03607813ddae3cb50570cad466a7cbf87edfb347e80052eb4f4ead5aa0cb7489eca5dc16346 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\W1H4WTGN.htm
| MD5 | 1bcf50995fba571c1deee032e2028235 |
| SHA1 | a261f384f6700473bd2933d851d83f8b5b74cb97 |
| SHA256 | 0b96d54b3acc93c252cde0a2ef76af95aebee8545cb132beb4a7e3e54dd45eca |
| SHA512 | 727345086584a21f7fec6ee66650ed497f68c96c5c6b14bf34774901773a08a3f939303ae2d21c1ded4065ed218cfab3fcdbc12c6af5ee7baf21c2a32d6fea0e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\126N07QX.htm
| MD5 | d7d8905ad025891100758c91b4fd3d13 |
| SHA1 | 295f01c5d78bdfea68c47e01fe849903f5893c7b |
| SHA256 | c4a72378f997a33ed2ce1057261c8dd0a383842db6070f19c80ec9c567a3d58d |
| SHA512 | 074f670559723b904bd486600469fda580607f39e83374516674daf46774a464cf4a21fc20613fb3868b27df44a6ec69b1ca9bc14ec5c6202a03979d4cf3aee4 |
memory/3460-218-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2388-219-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[4].htm
| MD5 | 050ae4524a093a52702520faba7e698e |
| SHA1 | 2fdbcc2af1466369f26dffde14ed0d2f96c500a7 |
| SHA256 | d51126b750ebb4ff7bbf8ae5e09208bb3dd9de731210a0381e812be05ba012f1 |
| SHA512 | 55a241c99069928769c4244712eceb70c7f1a282d5e825b352fe631cbd8a439c46e93ee6187734e60a7f5bad3f2e204e8018560f2a9365bf03f663d3908ccd28 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\P6419TWY.htm
| MD5 | bbea0c7f1d3204c7747339830e119011 |
| SHA1 | 0ca84c33cc97ea931c0556ef627595abfa24f04a |
| SHA256 | b8506e5c37c73348b34fee422d23aa04a6644d5a11fa9d2f7a42d37e56d65bdc |
| SHA512 | 2417a0e7f71bbbe31afe6b979203bf1e4b063a724dfa50d697b64a65884654c8d21ff9e4e66eb9fe5cbdfd01cda9823bef004724b0abb6e654b7d2479cea59ad |
memory/3460-292-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2388-293-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2388-298-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3460-299-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2388-300-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 56d81911d3e0db9a27f313502824a47a |
| SHA1 | 451022dc4de526fe3413effaafc31061b708ef45 |
| SHA256 | 98d9496275e2e9bfd88405de299525e234420dd3bd19492a5848f90cfdf6c9d7 |
| SHA512 | e02fbfc277ad1364456f89c7dfb44ef0b994c0aaca3e33fbf7cba78ff4d59577388a4dd0ecef6899a380c74dd1a0fe3d84c1b20f1869a349a92f75242e4b3190 |
memory/3460-317-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2388-318-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3460-319-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2388-320-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | c0ed4a48ed8c9453b25787c49ae78164 |
| SHA1 | 8a6fa093167e3fd850615b44cb0b1154579bee07 |
| SHA256 | 1fb1b428595b88a403bfacaa83ce73fd0a244234d63d5a39b242713943164683 |
| SHA512 | 5778e1bf53908b1b6f9282891547fca20fa580ea3eb1b715da2c71d0bc3416e804818dc9c979b447cb0b5f3e9d625733e4b87c3e45b301b70beba98c8494c620 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[4].htm
| MD5 | 6e575975160871d029dacffb9bcbf2c0 |
| SHA1 | 88826f96301325b1fcdb32b4fade2f842f79978a |
| SHA256 | 8a451b9444f516b986a3d32a8c9ef6c9000895fa691464e22155840eae6ea989 |
| SHA512 | 6da005f72c604ccfaeafff07526a2e94b00078d58a0b805044c4c5eb0b65bc20e04e26ebbd4c67cceec5a2bdba3f68e7f6cc2b6c925382b232be49e68955fbe7 |
memory/3460-374-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2388-408-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\searchI5XDFQSK.htm
| MD5 | 21223154f1930ebbd553ae53b96ddf89 |
| SHA1 | 3117e5e00d3f01fb99f8210220db92965ec84c3f |
| SHA256 | 9414c4c2a7cb7b781caa07eb2deb04df206fe8bc6a4a45d387b20e3c4cfa3058 |
| SHA512 | cb154bda3be5ee0c9f115e816102f2adbef5150a99a480108bfc569b35ae06a8daf7501bff633c55059fba24c8d772163e85f47b42b82298f1bae142ef728b2d |
memory/3460-500-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\results[4].htm
| MD5 | 7a332319b4c67a0c2b49c9fb95a8b533 |
| SHA1 | a73a00ba83953575917a2060c009253fc0db93c4 |
| SHA256 | 3c0cf785ae4898fab36c8e6e6d1ff44a1b980db0216539cc895157efe273da2d |
| SHA512 | e057941f8e9e7f686dda89bd88a6781bdfa6d7f4545c3ad185ebf0a9828b29789f91a616f5eabe0c7c1cdfd9dfa46f443564e9cfc36de6b04f03dfd6ab67f100 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\searchV6LL2P5J.htm
| MD5 | 9154cf55f613148d59d3e3170edeb432 |
| SHA1 | f3bbcb5e9eb9551dd0996444686641cb1ed950d7 |
| SHA256 | 25cbef9672e89f42328bbc3d22e6d681fb57d50796340bfaf92042ed4309c90a |
| SHA512 | 10b08d01c6ce776b29b88f7ab0aad1d208bab70b090c6604db6816caec37dfb1eccc45eaf656185d854bb772df1a9574be5ac71feaf95a2c4a2dc2ee7bb4eb15 |
memory/2388-553-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 2a731402fd10248a88775f56648ce5cb |
| SHA1 | 6fe753b99c9ee12d9268e52aa6b3ef58e035f7dc |
| SHA256 | 703fed39d672191af91a7909ceab6e189cd0b30cf8a8c2b7659842b450dbcdb5 |
| SHA512 | 743b4894588b175eeb79d00cb22a299d001428c049d5c378e3b525a3905752e54fe04097890d56c062f8d1b534cb50b9a7d1639c406a482d459cfde3a49b499e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\default[1].htm
| MD5 | c15952329e9cd008b41f979b6c76b9a2 |
| SHA1 | 53c58cc742b5a0273df8d01ba2779a979c1ff967 |
| SHA256 | 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7 |
| SHA512 | 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 03:43
Reported
2024-06-16 03:45
Platform
win7-20240508-en
Max time kernel
150s
Max time network
148s
Command Line
"C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe"
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 836 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | C:\Windows\services.exe |
| PID 836 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | C:\Windows\services.exe |
| PID 836 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | C:\Windows\services.exe |
| PID 836 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2e12cd063c33317ede03e1b6eea9ae0_NeikiAnalytics.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.0.2.15:1034 | tcp | |
| N/A | 172.16.1.182:1034 | tcp | |
| N/A | 172.16.1.166:1034 | tcp | |
| N/A | 192.168.2.14:1034 | tcp | |
| N/A | 192.168.2.14:1034 | tcp | |
| N/A | 192.168.2.18:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| N/A | 192.168.2.17:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| N/A | 192.168.2.13:1034 | tcp |
Files
memory/836-0-0x0000000000500000-0x0000000000510200-memory.dmp
memory/836-4-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2876-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/836-10-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/836-17-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2876-18-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2876-23-0x0000000000400000-0x0000000000408000-memory.dmp
memory/836-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2876-29-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2876-31-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2876-36-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2876-41-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2876-43-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2876-48-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2876-53-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2876-55-0x0000000000400000-0x0000000000408000-memory.dmp
memory/836-59-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2876-60-0x0000000000400000-0x0000000000408000-memory.dmp
memory/836-64-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2876-65-0x0000000000400000-0x0000000000408000-memory.dmp
memory/836-66-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2876-67-0x0000000000400000-0x0000000000408000-memory.dmp
memory/836-71-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2876-72-0x0000000000400000-0x0000000000408000-memory.dmp