Malware Analysis Report

2024-09-09 11:21

Sample ID 240618-qcdngsyfmp
Target 4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe
SHA256 34ac22c9ccf35fd16aa9fd959be8472cb20ef77db0b1dd9f76b3a99dee427fd1
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34ac22c9ccf35fd16aa9fd959be8472cb20ef77db0b1dd9f76b3a99dee427fd1

Threat Level: Known bad

The file 4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 13:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 13:06

Reported

2024-06-18 13:09

Platform

win7-20240611-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.126.94.178:1034 tcp
N/A 192.168.2.157:1034 tcp
N/A 10.227.85.66:1034 tcp
N/A 172.16.1.5:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 52.101.40.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
N/A 10.179.108.182:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
N/A 10.241.35.61:1034 tcp
N/A 192.168.2.111:1034 tcp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-rno.apple.com udp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 r11.o.lencr.org udp
BE 23.14.90.89:80 r11.o.lencr.org tcp
BE 23.14.90.73:80 r11.o.lencr.org tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 insideicloud.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 email.apple.com udp
US 8.8.8.8:53 insideicloud.com udp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 209.202.254.10:443 search.lycos.com tcp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 insideicloud.icloud.com udp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 192.168.2.10:1034 tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 mac.com udp
US 8.8.8.8:53 mx3.mail.icloud.com udp
US 17.42.251.62:25 mx3.mail.icloud.com tcp
US 8.8.8.8:53 icloud.com udp
US 8.8.8.8:53 mx02.mail.icloud.com udp
US 17.57.155.25:25 mx02.mail.icloud.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp

Files

memory/2248-2-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2248-4-0x00000000001B0000-0x00000000001B8000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1348-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2248-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1348-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1348-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2248-23-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/1348-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1348-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2248-34-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1348-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1348-40-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 f162712665a42e0f23ddd1cc578d65de
SHA1 e9a098ba218a42e3cd9c6343638dc1cdbacd3f45
SHA256 b1c1b5a5ac2bb4ee8273161c02e9e0f27288e07c7ae8bc683443345b0261dfa2
SHA512 7ba1526dac9e6e746c913a03a8079320dde71a4c9f6c29db378fc1938e71fb93bffdd1e96f5ff559c997045bec0a2493805c159ac7006f513f33280525bdf3a1

C:\Users\Admin\AppData\Local\Temp\tmpA527.tmp

MD5 52bec5213440a0c52b7b157c519e5d37
SHA1 1782907b2371233892f30ff7cda70e921b6b9cc6
SHA256 fa76b9c0e874e8148539187e74dd51c4c669c1a6a8c027e852b663a431697b08
SHA512 bd9a22230b2675cacfdce49f93405ab57ab77b3088e433dbb410e1fcdb1dd38980c180dde4a147ad5f5f3c386d40eee0fd85d0958b4c01140357588938aee7c2

memory/2248-58-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1348-59-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2248-62-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1348-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2248-67-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1348-68-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2248-69-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1348-70-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2248-74-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1348-75-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2248-79-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1348-80-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1348-82-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 3afb27b62cf742f9dddf798a5790a12e
SHA1 fc8ccb0389f81e13344df341f6ad53b369efe6f2
SHA256 5b2adf31cdd206213f94bbfe8eacb84248772c753beec74e841582152cc40d88
SHA512 5320d8a1d7e70e3a858dec83d48284ee0c2e3a2efdb87e27cede333406b1064c343a5a1341c617f792374ae04112b43f555658b75e44ca29926f2d5397842a1d

C:\Users\Admin\AppData\Local\Temp\CabAFE8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB0D5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5db4a570659719d2e69b29747c28267d
SHA1 bb8d81ee0b8535ae0312d76276a45e88e8b33bb9
SHA256 73883dc6e7e7d2545f17c2a78e0359ccba6c129ec126dd3b9499f809b391f26d
SHA512 7b10412aa0e42f908f034e9cec2de376ed76b220eff291ca0efa0e1ede969d36ee943a543dc8dd1a3e5210ab0650fc294a9d0ca3ec9a851662a55fd9276c1c0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fe4f390637cc4249aa5651d17536192
SHA1 1c8db167163496e4dd73eedb4d5a2f9e8b32e1be
SHA256 08b66124f5dcdbc132a444c7a848dbe694a97148a4173bb027e588cb0b6fac24
SHA512 c877d556ff866a66f438b52ae537833f6a6bbd1b2ad4483a353514c5a1f6cc5df55fe758a1a696167a538db47e4809d43db40a536908fcafef61d2d79fcac4d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3JK00ZJ\0XF0RNDG.htm

MD5 f8da47f95660ec9cf7123523f5efc4b0
SHA1 beb7fbeb1cdfd35e20fd8e0c32c188455f348836
SHA256 da210b7c3c7c5af2519a5a7af6959c9c17d330592cad76020b6eb7806eae30e9
SHA512 cabbdb09a76d836bd87a1a0605d3a8bfbca49e0e2cc3ce7d1937e55bac6eb5cbe04aef83641f2d0090085eee61477d9a9ed3b04be1f3f67e92f534914527a072

memory/1348-235-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2248-233-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3JK00ZJ\BBOUXVX2.htm

MD5 60f765262b8a6752e7e301d48e8a586d
SHA1 d6f50b748d922d3dd38876a7137f5ee3e4619401
SHA256 1f0c34ff1467aeb0cb2decf60e31f5f8b393852f924ad2ca584bbbce4a6541ad
SHA512 a4c356753618edc206939ca13497e11df06d6709e04e493e770a01c900df6c30b40c30160ac42bffc7db3731bf20dac0be6397b7757308b0643ae038875586f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\search[4].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 13:06

Reported

2024-06-18 13:09

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4909fffa1da76f14e1060b63c4caa190_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.126.94.178:1034 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
N/A 192.168.2.157:1034 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 10.227.85.66:1034 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 172.16.1.5:1034 tcp
N/A 10.179.108.182:1034 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 10.241.35.61:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 acm.org udp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 52.101.9.14:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 209.202.254.10:443 search.lycos.com tcp
BE 23.14.90.89:80 r11.o.lencr.org tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 hachyderm.io udp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 209.202.254.10:443 search.lycos.com tcp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
N/A 192.168.2.111:1034 tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
TW 142.250.157.27:25 alt4.aspmx.l.google.com tcp
N/A 192.168.2.10:1034 tcp

Files

memory/1324-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/4108-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1324-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4108-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4108-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4108-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4108-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4108-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4108-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4108-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4108-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4108-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4108-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1324-54-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4108-55-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1324-59-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4108-60-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 07a9dd3e987c96e77905dadf39396db8
SHA1 e91664373a5dca769f4ff07be5592b56d408ff84
SHA256 c0fbe02ca34b960c96936d1f4fb3f842f00a85b0fcc6eb7b504b79b602852364
SHA512 fbfd523658b10cbd5deb20f95e33d0d557a1c19ba2cc07134398eedec140c7f1cd0d43985f4f03b65cb10f49151330208491b7ae0fe11ed65a9645679a427f6d

C:\Users\Admin\AppData\Local\Temp\tmp2247.tmp

MD5 538eca0a7f116a8adaa0b5c9eff8cc3e
SHA1 1b92c52c33df741105c3db38a7b792730abd0e41
SHA256 18b1af34fda4bdf34f0187f6ef3b5011a9eb754ecd3d78613a9b96321ebd624c
SHA512 847c3486a85d8bbf46df57bf5ca78c23ef0e27c3f22577d85965470cd033dbeeb1f409ffa9395b11845cab42e3eec093ed8ff2e144c00a266ddbd7a8c691b7f1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\70UVXKYG.htm

MD5 cdd524e903ca6b7f3173f4cda5c77060
SHA1 848e2b79ba624805a49db3f6ac7295c093f96256
SHA256 b8725beeff3cfa07ba03494801daad99a79dc694d99ec403f30a984a9eb8eb06
SHA512 6623d407fa38d213643c775f4bb0dcff93b6e828225e971bb14bea738a6ae016ac0876dd5a5aab1f89ad4cffce1ff39198ab0d55a6b3baedf4783931cb0a5798

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\XNU0GXY0.htm

MD5 87e13770f8658d929f0358487b602c9e
SHA1 b3b134c4c1f32fa83a9fefa8644490ec0490766e
SHA256 dc54a6099fa7f6ab3f1753bacf3ff06262229fe4d276b7358694ec3b8e400206
SHA512 d2482ebe3de6bca9038e192de62e7e8a808154adec88657f595f6c2c1638f526cf94af53518a3226a27dc3181856a54e61283ea386ad9e502b0669ebbf10daf1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\search[4].htm

MD5 c16b063124739c9da713dbd2c850c744
SHA1 7dfc27aff64b11b8ac8b5a2dd2c886433c33da6f
SHA256 c4820822033031cc9182bce736c955dbea15e3303a88f83f656c38e84e1bfca9
SHA512 fbc56e904c8d51e243f46daddfa3aa235b2f66729eb31e8da77fd911e63818919aa596d187bb2c0c2bd39238b5abd59bd1fb8c6f1702f4a0d9d1c23b8eda139f

memory/1324-220-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4108-221-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1324-224-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4108-225-0x0000000000400000-0x0000000000408000-memory.dmp