Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 12:27
Behavioral task
behavioral1
Sample
452758616815622bf7f86b5877f13210_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
452758616815622bf7f86b5877f13210_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
452758616815622bf7f86b5877f13210_NeikiAnalytics.exe
-
Size
29KB
-
MD5
452758616815622bf7f86b5877f13210
-
SHA1
d7a8f8dbaa72736ae948a8398d037af25ad268ae
-
SHA256
4f76f88019eac8fc5860d958d05d201f32155c50a4bd07b14ade4bc091e9be86
-
SHA512
5a5dbb2cb05ca8eab1b694210ad532024ecf35a34f7a959f445e6accb91877d0522c729b9ce9537817212011d52d40faba493eb356906059257cba33d4615caa
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/5:AEwVs+0jNDY1qi/qB
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 4080 services.exe -
Processes:
resource yara_rule behavioral2/memory/4640-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/4080-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4640-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4080-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4080-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4080-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4080-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4080-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4080-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4080-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4080-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4640-47-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4080-48-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmpB91.tmp upx behavioral2/memory/4640-106-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4080-107-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4640-234-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4080-235-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4640-272-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4080-273-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4080-275-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4640-279-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4080-280-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
452758616815622bf7f86b5877f13210_NeikiAnalytics.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 452758616815622bf7f86b5877f13210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
452758616815622bf7f86b5877f13210_NeikiAnalytics.exedescription ioc process File created C:\Windows\services.exe 452758616815622bf7f86b5877f13210_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe 452758616815622bf7f86b5877f13210_NeikiAnalytics.exe File created C:\Windows\java.exe 452758616815622bf7f86b5877f13210_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
452758616815622bf7f86b5877f13210_NeikiAnalytics.exedescription pid process target process PID 4640 wrote to memory of 4080 4640 452758616815622bf7f86b5877f13210_NeikiAnalytics.exe services.exe PID 4640 wrote to memory of 4080 4640 452758616815622bf7f86b5877f13210_NeikiAnalytics.exe services.exe PID 4640 wrote to memory of 4080 4640 452758616815622bf7f86b5877f13210_NeikiAnalytics.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\452758616815622bf7f86b5877f13210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\452758616815622bf7f86b5877f13210_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GU2A83AM\48WXIN9H.htmFilesize
175KB
MD55e645f5eda04e3d0b041311330346b3a
SHA134afda4a2441d71b7fc717f02a9e998cdaa2daea
SHA25670c7a86b54a325b4766b2f0479604f7ab44c18719c3c965358432e432a30cb65
SHA512ca69c844f0f5a1162266269430579bec025718404aae46606a27dc5e653259d6f28c2e30c29097b50471af047f61c46c6ad78420078fa23cef78ff4e96ecc583
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GU2A83AM\search[5].htmFilesize
135KB
MD59a88829db6cb909e416f4f6505c38616
SHA10e148b78ce2c78bf40452ed9228dd1319a717b4e
SHA256230ffbb5f9aac612c45c0f62110191a0b38db5fe7c006f48aac2d1ef717f2e08
SHA5120dc301de88da6011592ea03ff574c593d33269e991891a971d9a817e627f4f5d0107609f100663eb4b06206d1719e7aa30bf7fd8277733ad5f45aab38fb57a83
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NNUT9QBP\search[3].htmFilesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUGBEKKF\search[6].htmFilesize
130KB
MD59e3e0a9c63ae98ebe4fba58f0e018f08
SHA19aa0c44cedca08ea8c2d90a6bfffc166efe7c042
SHA2567d84c5c26eded8a996ffe2d5dc97ddc3c10971489f73d9d95e0ba5f8489ecf27
SHA5128acc9c3d318a9e26e768162b615f4c55567cb0ce99751f3a40687c6b4a36c615fca733c37c8c36d83241cc3a01d123c397cc2837ce2aa652f48a3401a48a02ec
-
C:\Users\Admin\AppData\Local\Temp\tmpB91.tmpFilesize
29KB
MD59ac16c3ab36f7326c842ddc6942c192d
SHA161bd445572212c893b3e8de6382a3aa08b3f3917
SHA2564616343d93135ac22dfa940f7c83135a1ac6722d9b3eff66351acd05e1ab878d
SHA51289e015e6c68944709461e79b2a31138d3945b52fd5ae2be386adac5d458a037d1e8881142de52937b9b6a607dae9c4bb94207a5db0ec1f9994d54f15f585ef2d
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD5829773aadb83bee217d75735f1961f64
SHA17e167013c6fade47f3c6f2e3a09d14e7eaecf10c
SHA2562b3c95aafeae9e4a881342dff6521f30460ac3c3ff064aa8ba8f461028206015
SHA51250843c24fc2f1149fd5c98f5e172595f6b9d91a11ab1de7cacbe7cb92e5bcdaa90458b3e35c5e74adcf809ee3984b8ee9102d29ceb3df102fb43e34cb87bb896
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD59136c20d3b721698337f35cbfc608fa5
SHA106bfb43f0d22b14e56cff2e34c4c3a5d56c2ba56
SHA2561ad9f0c934ae8931717fb23ca7b68a05cb903daea5c5517eaee0c97019a9ab5f
SHA5128b2a9ad2cacc50706af4c36ffc8d980d1dd061f974c3412af17035b21c4a33163741d751b5738ffa86c43f8c23d58748942e50de0b3ba996c01d94a1db93aa59
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD5451d822b69fbaa5da46e250f9426d6b0
SHA15f7ba53b70c66c0c816b73144c131ea79810ac1f
SHA25612b06bcd10b7ba420e4ed8a00f7b341b2fd0ee716b68de20b3d96ca88f020359
SHA51230ea90e2f2edb8798b95f65ac74299646b48df857d248b1a1c9eefd94926aff9c63285bb04e77d96052f1b2d04de37108407b2645336462e831922df9ae3d961
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\services.exeFilesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
memory/4080-107-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-7-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-43-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-24-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-48-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-36-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-14-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-26-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-19-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-280-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-31-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-38-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-275-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-235-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4080-273-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4640-272-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/4640-0-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/4640-234-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/4640-279-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/4640-13-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/4640-106-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/4640-47-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB