Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 12:27

General

  • Target

    452758616815622bf7f86b5877f13210_NeikiAnalytics.exe

  • Size

    29KB

  • MD5

    452758616815622bf7f86b5877f13210

  • SHA1

    d7a8f8dbaa72736ae948a8398d037af25ad268ae

  • SHA256

    4f76f88019eac8fc5860d958d05d201f32155c50a4bd07b14ade4bc091e9be86

  • SHA512

    5a5dbb2cb05ca8eab1b694210ad532024ecf35a34f7a959f445e6accb91877d0522c729b9ce9537817212011d52d40faba493eb356906059257cba33d4615caa

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/5:AEwVs+0jNDY1qi/qB

Malware Config

Signatures

  • Detected microsoft outlook phishing page
  • Executes dropped EXE 1 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\452758616815622bf7f86b5877f13210_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\452758616815622bf7f86b5877f13210_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GU2A83AM\48WXIN9H.htm
    Filesize

    175KB

    MD5

    5e645f5eda04e3d0b041311330346b3a

    SHA1

    34afda4a2441d71b7fc717f02a9e998cdaa2daea

    SHA256

    70c7a86b54a325b4766b2f0479604f7ab44c18719c3c965358432e432a30cb65

    SHA512

    ca69c844f0f5a1162266269430579bec025718404aae46606a27dc5e653259d6f28c2e30c29097b50471af047f61c46c6ad78420078fa23cef78ff4e96ecc583

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GU2A83AM\search[5].htm
    Filesize

    135KB

    MD5

    9a88829db6cb909e416f4f6505c38616

    SHA1

    0e148b78ce2c78bf40452ed9228dd1319a717b4e

    SHA256

    230ffbb5f9aac612c45c0f62110191a0b38db5fe7c006f48aac2d1ef717f2e08

    SHA512

    0dc301de88da6011592ea03ff574c593d33269e991891a971d9a817e627f4f5d0107609f100663eb4b06206d1719e7aa30bf7fd8277733ad5f45aab38fb57a83

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NNUT9QBP\search[3].htm
    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUGBEKKF\search[6].htm
    Filesize

    130KB

    MD5

    9e3e0a9c63ae98ebe4fba58f0e018f08

    SHA1

    9aa0c44cedca08ea8c2d90a6bfffc166efe7c042

    SHA256

    7d84c5c26eded8a996ffe2d5dc97ddc3c10971489f73d9d95e0ba5f8489ecf27

    SHA512

    8acc9c3d318a9e26e768162b615f4c55567cb0ce99751f3a40687c6b4a36c615fca733c37c8c36d83241cc3a01d123c397cc2837ce2aa652f48a3401a48a02ec

  • C:\Users\Admin\AppData\Local\Temp\tmpB91.tmp
    Filesize

    29KB

    MD5

    9ac16c3ab36f7326c842ddc6942c192d

    SHA1

    61bd445572212c893b3e8de6382a3aa08b3f3917

    SHA256

    4616343d93135ac22dfa940f7c83135a1ac6722d9b3eff66351acd05e1ab878d

    SHA512

    89e015e6c68944709461e79b2a31138d3945b52fd5ae2be386adac5d458a037d1e8881142de52937b9b6a607dae9c4bb94207a5db0ec1f9994d54f15f585ef2d

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    829773aadb83bee217d75735f1961f64

    SHA1

    7e167013c6fade47f3c6f2e3a09d14e7eaecf10c

    SHA256

    2b3c95aafeae9e4a881342dff6521f30460ac3c3ff064aa8ba8f461028206015

    SHA512

    50843c24fc2f1149fd5c98f5e172595f6b9d91a11ab1de7cacbe7cb92e5bcdaa90458b3e35c5e74adcf809ee3984b8ee9102d29ceb3df102fb43e34cb87bb896

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    9136c20d3b721698337f35cbfc608fa5

    SHA1

    06bfb43f0d22b14e56cff2e34c4c3a5d56c2ba56

    SHA256

    1ad9f0c934ae8931717fb23ca7b68a05cb903daea5c5517eaee0c97019a9ab5f

    SHA512

    8b2a9ad2cacc50706af4c36ffc8d980d1dd061f974c3412af17035b21c4a33163741d751b5738ffa86c43f8c23d58748942e50de0b3ba996c01d94a1db93aa59

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    451d822b69fbaa5da46e250f9426d6b0

    SHA1

    5f7ba53b70c66c0c816b73144c131ea79810ac1f

    SHA256

    12b06bcd10b7ba420e4ed8a00f7b341b2fd0ee716b68de20b3d96ca88f020359

    SHA512

    30ea90e2f2edb8798b95f65ac74299646b48df857d248b1a1c9eefd94926aff9c63285bb04e77d96052f1b2d04de37108407b2645336462e831922df9ae3d961

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Windows\services.exe
    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/4080-107-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-7-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-43-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-24-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-48-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-36-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-14-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-26-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-19-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-280-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-31-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-38-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-275-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-235-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4080-273-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4640-272-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/4640-0-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/4640-234-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/4640-279-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/4640-13-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/4640-106-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/4640-47-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB