Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 10:22

General

  • Target

    38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe

  • Size

    29KB

  • MD5

    38898c293b84f1bcb71bc0ff9edb24f0

  • SHA1

    0cf3097ed4b8f0aad3dde3ea57b77a36cfab290e

  • SHA256

    f15ad7a16fcc261b0550f37441b26d953a3cd1b884464dd2bbabefa0a7950e4a

  • SHA512

    149d292e4be9b5e636de47e37a013697ac8c2915bd8fe32ca5025ce5e81188aad6f56aae54e96ec038b38def7280761b6e747b30dd1a03f1b525052eab289d13

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/1:AEwVs+0jNDY1qi/q9

Malware Config

Signatures

  • Detected microsoft outlook phishing page
  • Executes dropped EXE 1 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search2ISZ2D5C.htm
    Filesize

    144KB

    MD5

    7e2b0f311a515f80733f0df1f0706cb6

    SHA1

    022523698a816e3a62c028141f0719a131a2721c

    SHA256

    6868078fd987ba945b1b3281b21789f8d2329a81db354b39eca7ffcdd7249a7c

    SHA512

    6ae43e67e2864c9112113c6a8d8ac119e1dafbfebc025ec3bae998c75cfa95b268165a03c04a0735586f914a5446df857a90162436604900ff6eb0f7f99b0829

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[4].htm
    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\Y6JIBP3J.htm
    Filesize

    175KB

    MD5

    33ba515f70457e90b7118e70ff81a0df

    SHA1

    43f9ca66eaabffcf7376531ee9555c8e23bc172a

    SHA256

    6f1c2e76792b2288b1ca7481b783cb0be8d510a22eaeb884671e44b05952f07e

    SHA512

    14e78bc79eb0c43ba603312401eeb78c4c1df76c95bfe7f618e8f9732c31357696784e24b4bf0ba23684a80c2d9894cd6d2e6c410dc0d188f42d3cb6aaf8d6fa

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\8YKRK72C.htm
    Filesize

    175KB

    MD5

    bf0f676125a4c8c82e99360357b38480

    SHA1

    1051ab21414ab0e83f1bddeead338f8cce1eef4c

    SHA256

    75cde839e6ed42eb7635489030f7b7323061cb120be2138b3d83d45aa4560be7

    SHA512

    6bddd6865332e3fd24f213f6c7a2c1ba5be893944973033bc4c3f05db39b743ffa3a4a56aeaf34eafdb35535cd71f1d5d20f70818983f146cb93cec5ec668185

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[10].htm
    Filesize

    130KB

    MD5

    7cc186e446a779b1f5173bfea4eee0ca

    SHA1

    81e6b4baa7bb590be38d61dc348dc6226882a5d0

    SHA256

    43e5e33de05879118dc74df4ae1b1ada099c3d758ccf69cfc258b560606ebf45

    SHA512

    77df9bf9922074327f1eedee4a8b732b20f440613816bef6a5ae894eea6560e2ab4b77a4a53952d087d8f4a973864278ecdd2f008761ebfa3169b994e02d4442

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[7].htm
    Filesize

    118KB

    MD5

    9c06cde9bfda47a1c2f699f82cdef93d

    SHA1

    2a257ec314a62f14be725f74e7ed0e3bf18c0bff

    SHA256

    ce108fde434bcce5fd17c0439a282d300a35fce34eb28f28d03303710de9be7e

    SHA512

    4d140063ce53268402c8508b04c124548a33d818af89f9b67a5ffcb0d24936fc0624f136f3dfacde043ee7c2a2a8ece215f3ce30249f50805732c8b1599eb55a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[9].htm
    Filesize

    171KB

    MD5

    08efa65a9f1b415b91510a28fee94d18

    SHA1

    8473077f24293b6591eba57ce97c694d43c5c670

    SHA256

    6a5f95881d7b0e5503baa65d60dfb92f9770e0749b05f5341c8bd7c8cf9604a2

    SHA512

    4607ead1afd6ad185244db96f948386dfa76bff6a28c94a461ea14107d2057aefea13ff3589fae1b135134c87ef94b9b2e089b6f7f9971a12d180b0be2ac98c1

  • C:\Users\Admin\AppData\Local\Temp\tmp9C1C.tmp
    Filesize

    29KB

    MD5

    1343a1fe236d04dd2a8c5e815e0ca0a3

    SHA1

    b3e139bbda5e13a3dade229c1c6ab712a1c9cc30

    SHA256

    fc2daef6bf9f59617b1dc5e4fd08079c83b66f97d883f5e307fb817d18c19a9d

    SHA512

    a8d5328c4990f30a6bdedcb0e84f43b906eb007dfbb50dfda197804bb9ceeea61765d141ed876fc3fd1d95026398a2743eb60eec0f24ad16f70db6c1c70b6dd5

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    9c57e61a78466cd3603798f4d51e1085

    SHA1

    841f422e98d003b5a7baed8dcdc97cdd20cfcb75

    SHA256

    1f0c8938219f178b281397dbd78ff9e47aaaa8668feac8f1211d9f82e80072bb

    SHA512

    623e51b6596fa52c133e2468603b506478604ba8e6cfd55eed5708a6c4889940a661f70df496ee832d67f7a3568b837de06b13ef773b78a4755551b0eb84cef4

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    9afe68648f5d1796419c15d5d1c8e6af

    SHA1

    f678d8eb7efb89f1829033cda9b9db446c101607

    SHA256

    7d3f523fe0589a3f13f4f9f646be7b437595bc19a67c56e7f5d7f9f04c74ff22

    SHA512

    41ad2b8e4aa89993b620d26f8d8d169f1c168adf8ae901b35de74e6640c2ab4b79e76baa3f1d21ce6c4ed26f634db104dce2e8ade5dcbfc97e7f4dd171b7cc4e

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    a0591e2baa18055d995662f879411f46

    SHA1

    c0fabd0782ae7e139fa7941c98e53165d0cddbe7

    SHA256

    0796a329a1f07ce41bd65cd7be6e63aa323b9f1479879a921fc8bb0ab3c3c736

    SHA512

    bb93314d673ebeee98897f673b3bb24a16fdf775e2b0cdee3fbc3f1341b1c84da41da3efc38cce3e1f327e2a042152eda2d65a58730103b72d52e6dc398607c5

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Windows\services.exe
    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/2080-31-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-24-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-344-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-7-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-99-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-38-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-36-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-14-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-26-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-274-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-240-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-43-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-19-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-272-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2080-267-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/5088-266-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/5088-273-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/5088-239-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/5088-0-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/5088-13-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/5088-98-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/5088-343-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/5088-42-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB