3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe
Size

29KB
MD5

82d272cfc34c60043aa5ad8db2757230
SHA1

bb146afe9086c4fd2dae3c18552df5347337020c
SHA256

3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b
SHA512

f9ddafbad4e9033d42911f961e8ff985ddfee883f1ab3ab8680fdd2321bdeef09a5dfbdfe4780591a4ec55f3f8a3db4109933fef08f1b041ac26cb92fcb53fcf
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/A:AEwVs+0jNDY1qi/qY

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1164	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4564-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000900000002344c-4.dat	upx
behavioral2/memory/1164-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1164-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1164-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1164-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1164-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1164-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4564-35-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1164-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0009000000023464-46.dat	upx
behavioral2/memory/4564-174-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1164-175-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-325-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1164-326-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1164-330-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-331-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1164-332-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-350-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1164-351-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-359-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1164-360-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-392-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1164-393-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-474-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1164-475-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe
File created	C:\Windows\java.exe	3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1164	4564	3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe	83
PID 4564 wrote to memory of 1164	4564	3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe	83
PID 4564 wrote to memory of 1164	4564	3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3907ecc8d8043ceed920189e26c83595bf0ead7332593631324ff6079385302b_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\default[2].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\searchPM0CY78P.htm

Filesize
143KB

MD5
d7de71b96dcb4a492c557b4582c148eb

SHA1
a22601cf042bba132590fdb52add6bfa017d6da3

SHA256
7ed61872d1ceed305aa42a242c3f0583e25ed54b91ef443e9e1d3a5dbcfce192

SHA512
c901307ec3c533773a4e23dae38ce641f1f1fb6e7a0f757dddd8397b89626550d778a730a59b4c33bde8c370cc7fb7abe78a600ab385b50f8a8c23927174d5ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\FM4FSRNH.htm

Filesize
175KB

MD5
b6c6cb3bffc8e711e7b2cffdb49cf6ab

SHA1
b6462eb473ac109e8991bb63f5651a96b3d57002

SHA256
99859350c1d9be9a7d8ec349ca7aa6bd24317467d7c4423c274ee90b06bcee96

SHA512
ef0f59f74ef8bb368cc9aa52233863a95e6cfdf40cdf9d7bcc1826d9f21927436316685da28d899e8a225c1272f1297b228a86af51e025cd3c6a13c4e2d5fa64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\search[10].htm

Filesize
160KB

MD5
8ff6d2d93250d26c622fd6939d18e38d

SHA1
fb68d876c0397fb5ecf22d58c4836ffd61d8af68

SHA256
f2d128cb13c01a99fbd24be10518a145f5b7399cff714248187c0d3fa18923e9

SHA512
6e3e04cf3a064b0511dfcb53dfea0c0d05fcb7b37188f05ce5bdbfbe1094f52d98c789ad8fdda38aef5da97f8dd43de78f01381ebaf190fd76e4717c3ad1e8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\search[4].htm

Filesize
179KB

MD5
da5575d0ef91fcc6ddbc96a74101de90

SHA1
dd1bb7ad48c7f5a644eb29e12bcda5b1ec8d579f

SHA256
61f55059fc94283f186b26830703e3f3a1a30fccc34f2b20fcc6f37f910b4ea7

SHA512
ec0b74de73cb9d26680adfd55d60b5ec557ac9c479de11d4d3bf928da617bbc6af140b87a505813950ed8f2a781fe527db89ea88681a7bd17549741be1bc8670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\results[3].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\search[10].htm

Filesize
138KB

MD5
218b12181e41212771dac79bb03be5ac

SHA1
33ec5c2b755a241f853fddbb63156eb8109a38a6

SHA256
1780ec4105953c15206576af066636f217d6600125acb83cf83ca49a9ee69f47

SHA512
aece94629543b42cccfe679726bbdf9468bed9a773f419dae7ce717c0ae7d12751bde5fb675678e57ca9d763eb9c5255b45bf28617f943a427d8ee950cb48ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\search[4].htm

Filesize
131KB

MD5
d7441aca88441e0c5e206b4f70e77bab

SHA1
ea8e70e7a5c9e6903d994061540343f01f62dd98

SHA256
ca3201b19fc9b255ed3a4ed105485d55519bdcd4a76294fe45494e0a079f2a51

SHA512
80d010e8f5f2ab900e2857ef747432cb4653c983765594228bef0d3f0f336f6cc917adb600da61635e3f4ee913c2e6681362f7551dc8308e41d742fc1053e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50CD.tmp

Filesize
29KB

MD5
e24f03de9e1b8620a88bd64599f1f052

SHA1
395cb78699fdf97f38973d4acc344b99f506a6bb

SHA256
5af5a339c5e1f32b4814364aa82d230dc88f40f38546b8ad8c8cee80b65cd16f

SHA512
a8619610ab819e56dc0bdff79a3cbc969fcb69b4834f79988ba3ed05423b99ac62ec2cf6efd8c831c677d08d37a06c0d185806f47dfc79757b2f91f9cdd60760

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
f3111d1c36b08a6a7a4b46dac9e581c9

SHA1
1c6f8c231e5556f64cbb484ffdb0648a05f1e4ea

SHA256
eabc867948df66427429fabdee60c4b0dc0e3ddfb6115f29186a42333ecd920b

SHA512
f50c26168085602e94b11fbe6f92f65bd75dc06b01ab11195135edfc840695cec7093d100e5146c5dd72c392f6b8321eb12e6df27c69054396eccf7bdce1bbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
999d92072e0bfe47848033375372e128

SHA1
a017b160ca5de83e8f26565c61428dc046e600ad

SHA256
6fcbb6750e680036f77fe8b40d48ea3236994a7f0203aff234583e12a930ba13

SHA512
12471993cc535ca9eaa74188d78f1edc6227e33fe982b8fd3b0a77d45cf7afc4b2c594adffeb732f8a2015fd4fe31505f017180ab78bc7ac28091c6e19cdc872

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
043ac5c0a27d8c0f534ea215bcf14d88

SHA1
f4708f994c5346eaadc94272ca555941e197d4a2

SHA256
f77d54a08f0dcd7f918c1451a0f0496b6920588f21d125e7b8bafcedbc86c50b

SHA512
8f8630eeb509570b1e5714111f5c71558598d37f0a9422a902683c7b02f32d849a9786c47ab0e63789a4c7dda713308020142f76b454da0dd8b6e9124222d999

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
55611fa2ea19c1c4e6e1f9632f042f2b

SHA1
72681ecea517852c3b04db836500faef677a3d7c

SHA256
131b40f81eed552d9d827d0495e995d35b1d7ae2a6de4e80af8e7b123f5220ef

SHA512
bfc97f8e82b0263f7c6e63bd96cb36ff0e8d3d923afd041d715b6c7079f4facba1029e4636b940dcd47ed1bf8ebdcfa337456480ff368b7bde854ce84e0c19f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
dd801b5d0faaaf0fae3312a03fa647a5

SHA1
e70d2123412f3ce91af892b0b3c6588d82e3e1e6

SHA256
69968e6a9aca608e08831ebeee8c47d8956d6a4e12d6132e1c3623cff165b212

SHA512
0cf590bc37c199f8e3fa03f4e7ca8b0fd1d0d33fa13cdb787b5adcf8ba5f16b0af1391d4bf49b407fce559c0c4a4474deec2aa36d2c7c47664e0b61f4465351e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1164-332-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-475-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-393-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-175-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-326-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-330-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-360-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-351-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1164-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4564-350-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-359-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-331-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-325-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-392-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-474-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-35-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4564-174-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads