Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 10:22
Behavioral task
behavioral1
Sample
38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe
-
Size
29KB
-
MD5
38898c293b84f1bcb71bc0ff9edb24f0
-
SHA1
0cf3097ed4b8f0aad3dde3ea57b77a36cfab290e
-
SHA256
f15ad7a16fcc261b0550f37441b26d953a3cd1b884464dd2bbabefa0a7950e4a
-
SHA512
149d292e4be9b5e636de47e37a013697ac8c2915bd8fe32ca5025ce5e81188aad6f56aae54e96ec038b38def7280761b6e747b30dd1a03f1b525052eab289d13
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/1:AEwVs+0jNDY1qi/q9
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 2080 services.exe -
Processes:
resource yara_rule behavioral2/memory/5088-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/2080-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2080-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2080-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2080-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2080-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2080-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2080-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2080-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-42-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2080-43-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp9C1C.tmp upx behavioral2/memory/5088-98-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2080-99-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-239-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2080-240-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-266-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2080-267-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2080-272-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-273-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2080-274-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-343-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2080-344-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
services.exe38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
Processes:
38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exedescription ioc process File created C:\Windows\services.exe 38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe 38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe File created C:\Windows\java.exe 38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exedescription pid process target process PID 5088 wrote to memory of 2080 5088 38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe services.exe PID 5088 wrote to memory of 2080 5088 38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe services.exe PID 5088 wrote to memory of 2080 5088 38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search2ISZ2D5C.htmFilesize
144KB
MD57e2b0f311a515f80733f0df1f0706cb6
SHA1022523698a816e3a62c028141f0719a131a2721c
SHA2566868078fd987ba945b1b3281b21789f8d2329a81db354b39eca7ffcdd7249a7c
SHA5126ae43e67e2864c9112113c6a8d8ac119e1dafbfebc025ec3bae998c75cfa95b268165a03c04a0735586f914a5446df857a90162436604900ff6eb0f7f99b0829
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[4].htmFilesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\Y6JIBP3J.htmFilesize
175KB
MD533ba515f70457e90b7118e70ff81a0df
SHA143f9ca66eaabffcf7376531ee9555c8e23bc172a
SHA2566f1c2e76792b2288b1ca7481b783cb0be8d510a22eaeb884671e44b05952f07e
SHA51214e78bc79eb0c43ba603312401eeb78c4c1df76c95bfe7f618e8f9732c31357696784e24b4bf0ba23684a80c2d9894cd6d2e6c410dc0d188f42d3cb6aaf8d6fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\8YKRK72C.htmFilesize
175KB
MD5bf0f676125a4c8c82e99360357b38480
SHA11051ab21414ab0e83f1bddeead338f8cce1eef4c
SHA25675cde839e6ed42eb7635489030f7b7323061cb120be2138b3d83d45aa4560be7
SHA5126bddd6865332e3fd24f213f6c7a2c1ba5be893944973033bc4c3f05db39b743ffa3a4a56aeaf34eafdb35535cd71f1d5d20f70818983f146cb93cec5ec668185
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[10].htmFilesize
130KB
MD57cc186e446a779b1f5173bfea4eee0ca
SHA181e6b4baa7bb590be38d61dc348dc6226882a5d0
SHA25643e5e33de05879118dc74df4ae1b1ada099c3d758ccf69cfc258b560606ebf45
SHA51277df9bf9922074327f1eedee4a8b732b20f440613816bef6a5ae894eea6560e2ab4b77a4a53952d087d8f4a973864278ecdd2f008761ebfa3169b994e02d4442
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[7].htmFilesize
118KB
MD59c06cde9bfda47a1c2f699f82cdef93d
SHA12a257ec314a62f14be725f74e7ed0e3bf18c0bff
SHA256ce108fde434bcce5fd17c0439a282d300a35fce34eb28f28d03303710de9be7e
SHA5124d140063ce53268402c8508b04c124548a33d818af89f9b67a5ffcb0d24936fc0624f136f3dfacde043ee7c2a2a8ece215f3ce30249f50805732c8b1599eb55a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[9].htmFilesize
171KB
MD508efa65a9f1b415b91510a28fee94d18
SHA18473077f24293b6591eba57ce97c694d43c5c670
SHA2566a5f95881d7b0e5503baa65d60dfb92f9770e0749b05f5341c8bd7c8cf9604a2
SHA5124607ead1afd6ad185244db96f948386dfa76bff6a28c94a461ea14107d2057aefea13ff3589fae1b135134c87ef94b9b2e089b6f7f9971a12d180b0be2ac98c1
-
C:\Users\Admin\AppData\Local\Temp\tmp9C1C.tmpFilesize
29KB
MD51343a1fe236d04dd2a8c5e815e0ca0a3
SHA1b3e139bbda5e13a3dade229c1c6ab712a1c9cc30
SHA256fc2daef6bf9f59617b1dc5e4fd08079c83b66f97d883f5e307fb817d18c19a9d
SHA512a8d5328c4990f30a6bdedcb0e84f43b906eb007dfbb50dfda197804bb9ceeea61765d141ed876fc3fd1d95026398a2743eb60eec0f24ad16f70db6c1c70b6dd5
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD59c57e61a78466cd3603798f4d51e1085
SHA1841f422e98d003b5a7baed8dcdc97cdd20cfcb75
SHA2561f0c8938219f178b281397dbd78ff9e47aaaa8668feac8f1211d9f82e80072bb
SHA512623e51b6596fa52c133e2468603b506478604ba8e6cfd55eed5708a6c4889940a661f70df496ee832d67f7a3568b837de06b13ef773b78a4755551b0eb84cef4
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD59afe68648f5d1796419c15d5d1c8e6af
SHA1f678d8eb7efb89f1829033cda9b9db446c101607
SHA2567d3f523fe0589a3f13f4f9f646be7b437595bc19a67c56e7f5d7f9f04c74ff22
SHA51241ad2b8e4aa89993b620d26f8d8d169f1c168adf8ae901b35de74e6640c2ab4b79e76baa3f1d21ce6c4ed26f634db104dce2e8ade5dcbfc97e7f4dd171b7cc4e
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD5a0591e2baa18055d995662f879411f46
SHA1c0fabd0782ae7e139fa7941c98e53165d0cddbe7
SHA2560796a329a1f07ce41bd65cd7be6e63aa323b9f1479879a921fc8bb0ab3c3c736
SHA512bb93314d673ebeee98897f673b3bb24a16fdf775e2b0cdee3fbc3f1341b1c84da41da3efc38cce3e1f327e2a042152eda2d65a58730103b72d52e6dc398607c5
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\services.exeFilesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
memory/2080-31-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-24-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-344-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-7-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-99-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-38-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-36-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-14-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-26-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-274-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-240-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-43-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-19-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-272-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2080-267-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/5088-266-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/5088-273-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/5088-239-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/5088-0-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/5088-13-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/5088-98-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/5088-343-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/5088-42-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB