Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 10:22

General

  • Target

    38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe

  • Size

    29KB

  • MD5

    38898c293b84f1bcb71bc0ff9edb24f0

  • SHA1

    0cf3097ed4b8f0aad3dde3ea57b77a36cfab290e

  • SHA256

    f15ad7a16fcc261b0550f37441b26d953a3cd1b884464dd2bbabefa0a7950e4a

  • SHA512

    149d292e4be9b5e636de47e37a013697ac8c2915bd8fe32ca5025ce5e81188aad6f56aae54e96ec038b38def7280761b6e747b30dd1a03f1b525052eab289d13

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/1:AEwVs+0jNDY1qi/q9

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    58dbeaa163c9f2273631835bc151dfdf

    SHA1

    acc84686539602ce191d9253adef1f419a9c43f6

    SHA256

    e6dae40eea516d11a2d74f1e50ec7508f59d8aa8259fb4d1ed30a8dde77ac2a3

    SHA512

    09cb54524f4249088b349719d3c9d1ed82d2da2cff21627cbb34a1fb8a1ea88bd6b72a746a584b3ebea9378782aceeb3a1fb98b4b120fe551cd2facde1c261ee

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    739517a798606b4ed58cc09a337efa32

    SHA1

    4ff81029b8947137f1bdedbf3905519c2bee566c

    SHA256

    c66e785699cbd38ae99198426e90241034c906d7557d840de6a5b0d0292fce06

    SHA512

    8961f33397f35c70b1b2a52aa5f2cf3a995b7cc7add242b48d4c8de9782bf1d22fda21feb19173a501e3141dbe2a08d539639e264a5070b7e29747c5f7b68c70

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    82426d1ef9b2a44350d90f72b10a7cac

    SHA1

    5e34d0b614f2fa8b2310e7120266098b39ba2202

    SHA256

    e250d85bbeb5f0e009de5a5041777661dfe6219d5eb87086fe7eee9dcb23e0c8

    SHA512

    c009e9e5bfc75dcf448f6ced9440471f975fb6b7c14cbb38fcc7defa100fd7b0e4905a940e51c958ae493966f0e01dbeb342a3fc01a03f8e117d825c2350cda4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    568806919f8f2c2e97d52a55507322bd

    SHA1

    10bacdf3c86c659c3118adc7965f04674f795c76

    SHA256

    f2ad8f53e0aa5647e2e6c21357fcff08dc0383f49e5b18f69654dcffe918787c

    SHA512

    13d4848fa170b7496392e45b0cd12024da7598d0ef4a00dca1723f0aea1b35482f29591fa52ebf4bc3b3c4164581689e07102e73a6ef8605eff5b16f92753d1d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f922043c24d18fa94c18754cb1a4faab

    SHA1

    727e5a7dc14b1280c1b88c2746ca276661435fef

    SHA256

    d454c4b7dc677ae8a65029f5e497ffe1badccdd147dc2598e3f30e4ec9fcc6e6

    SHA512

    a6b609f05722915e01fa55fe7d1fe1b2a58e694f3267a6dc48da093ff8f8efd8ac8a0056d707187f23d54500016b8dc56d8695657cd4d7d19c918317967d9d32

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d9043c495230a63de7c34de6c1681fd0

    SHA1

    9bf7a8f8baeb7b082607c937c951f3a146865b0d

    SHA256

    c61baf1010ceb88d501a943e807a3c95bd49bac465f0db5eed8171414bff10b6

    SHA512

    5f6cb0f75e214aac9c23e5d1e4fb44527e31a4405c86d7d12cf0045d84bc06f67d2b24315f737543d64958c6df79180e3d7529b6c8baa0ec20b83f50c58cd411

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\XM1643LA.htm
    Filesize

    175KB

    MD5

    82b3568836ef05fb7af09744be9b6774

    SHA1

    ebbed16a7a8ebb6f9591d3ead04c937dbaf50a4e

    SHA256

    8ed4cef260b9c3863331523cfb2dab7a64a4a07af0b4efdfab76c17ef0457627

    SHA512

    15649fea82c7ddbeb270f7adaa74be925f39ef4229cf311fd45f44074debe92d6c3137a958ab311c00dd9d643627ca5b9b721aa8de0bbb0063e0fe20619854c7

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\search[4].htm
    Filesize

    127KB

    MD5

    9c16abb1a8e29993fe0fb221ab66ab09

    SHA1

    ad5bfc7c2e500c1654bc469280d9447c69604372

    SHA256

    673b33cf312db490864bdcce5c67110f8a9b13268aeb65b17b353c74b56d6a15

    SHA512

    a68e0e311f000fca806df19db74312ac9d628dfab0d6e2f9478449e4e18b7f0a7b54f3ac4abc42606f5437071725bd26ebc332e59037e87cd094f58984677ab3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\results[4].htm
    Filesize

    1KB

    MD5

    211da0345fa466aa8dbde830c83c19f8

    SHA1

    779ece4d54a099274b2814a9780000ba49af1b81

    SHA256

    aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

    SHA512

    37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\AQES480A.htm
    Filesize

    175KB

    MD5

    5e6530e5284479c771f6e40fa6fcde7b

    SHA1

    5364df2515744cf897c0109dee72c711eb8c7bf2

    SHA256

    2ae2e02990bed71bd7b8d007b6214584596c3f7f8e44fb5bdec7d6ee534db546

    SHA512

    33d3ca768d5c11a457b2c5268f3ecd1b01e6308304f8c6f56b6fede39d454cb3746e7d94c32c5c5b58ae1adcf2757cb5fc714607e3a2838d8e1e454138581e82

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\search[2].htm
    Filesize

    166KB

    MD5

    207b25a9285e662aeee2d21c29832e17

    SHA1

    39d27eeed0d982a8bce5b44d3e03ba4d7bbc58ea

    SHA256

    00f26239c4bb863cf1d88c24883fe290352b80053d51a1f9c6b6fa49ddbf3068

    SHA512

    a9b66a7b3f813e0210a9d739b9cafad141cf0aa720e984c7d22cd737d40d49d4a332d206579fe4bb7d0c7bf7d9664b63be99b5f551e7380dc0a91fc801f1cb5a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\search[9].htm
    Filesize

    138KB

    MD5

    773fa43d3dc9c2b23af19d3b193ccad4

    SHA1

    d7eaa63e6a29f4ee7e930b64f29b9f54dda8342e

    SHA256

    06a45250d6989e609725f7cfb5eed1b97de9ee92a123c8f81fd7a73a95e10403

    SHA512

    dc25e24ff6be8ff91e1fab89a9e8c2c880ec54efda30cc54b60bfa3bc6ea74b630f867a86898599df5e1589a1ae4198013facea676aa68eb93c53ee69a6c7136

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\search[2].htm
    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Temp\CabC577.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\TarC67A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\tmpCAEF.tmp
    Filesize

    29KB

    MD5

    04bf8be67a020ac4faf323953c8a3d9d

    SHA1

    218e178bb0614e810b3fdd0fa1dfa54fc9a1b3ff

    SHA256

    ae7172c121fc81c765f7d840d9f01bf9e9a5b0755b7ed5639deff49fcbad4f22

    SHA512

    0cc4815b2a7249f5acae33ec5bc7e49a660e0f1de1abd2f30e6c29f9fd9ae0230d5f66de626dba9862e37b086b72d30914c69c6d4c4ae4642efdc9e09e270507

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    a321827de456e0462e603f0520ce1d61

    SHA1

    44fb30b06f998c3c77358305b29777d7911c2769

    SHA256

    420b0121dc0e85fc2e55c4b35445150e71986d93cbcc634d971e3094a599f614

    SHA512

    d72f6107c0588a4fc670fa9f68358246d40f9fe59cb83aad718980c2159a7096759895d102aa9c7b340a5bf12cdf7309acaf5edf38d2f83cd4fc32a4541d9b94

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    4caa7b08a9d2dd72d799a2c4c116c818

    SHA1

    ea5fc1adca1da0a89bec9c8b792bcf1072889001

    SHA256

    aa97f4355ae6c93586888d18c0c982d4bce0d74c53b25dbf11fef91a27c9d079

    SHA512

    d989bb5aa973e12a7701866b1f79dbe559cd03ce12d25311e4233d4380cf3a805fbe3688c04c809f049dbbb576f8c57864aa216d353c5d0373a08ba03a6f472d

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    4599e0e3ff279a08768fe342e5400815

    SHA1

    aad50e15e79c872692d662435a051a9663166863

    SHA256

    1433d08f4f9731610eb610c1703df1613047da0275fa5d37767617367d22a26b

    SHA512

    8eb4a4784bd8c94cbdbb0f8695c3a8d74bef51d1b1c3c73f24951d52fce7ac125eac59c0eb478580260219f49a96d6dfa68452d943161d080979a8485006782f

  • C:\Windows\services.exe
    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/2436-34-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-21-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-71-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-624-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-64-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-582-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-59-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-16-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-54-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-52-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-66-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-433-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-27-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2436-29-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2924-58-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-33-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-22-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2924-432-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-2-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-51-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-28-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-15-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-4-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2924-580-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-63-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-623-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2924-65-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB