Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 11:18
Behavioral task
behavioral1
Sample
4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe
-
Size
41KB
-
MD5
78644508aebc0232b07a99eb6bf34a20
-
SHA1
a6db7d15723dd4ab07f24ba791e46d650e271823
-
SHA256
4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be
-
SHA512
71219143b408098593767d8c0eddcaebfa19ad617d2fc2adc66194cf9a887c2e773cc3a84e14d844425427789de2df40d183c1d54fe8a86d8efe748dac1558b1
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 4232 services.exe -
Processes:
resource yara_rule behavioral2/memory/2968-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/4232-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2968-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4232-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4232-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4232-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4232-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4232-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2968-35-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4232-36-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp6734.tmp upx behavioral2/memory/2968-81-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4232-82-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2968-293-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4232-294-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2968-309-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4232-310-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4232-312-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2968-316-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4232-317-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2968-463-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4232-464-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2968-652-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4232-653-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2968-799-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4232-800-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exedescription ioc process File created C:\Windows\services.exe 4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe 4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe File created C:\Windows\java.exe 4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exedescription pid process target process PID 2968 wrote to memory of 4232 2968 4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe services.exe PID 2968 wrote to memory of 4232 2968 4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe services.exe PID 2968 wrote to memory of 4232 2968 4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4db6ddf1724dfa2ecd184e1acf95bce33d8ded0bacefbb42991536f424c161be_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
174KB
MD53918f6378d7a2b521921da1f7bafcac6
SHA1c614cf3e4aba272dbb156dd10a1f4e39f7e169fc
SHA256761b670aaac9975b7d078cfb5bf2ac7d7aed38ba8fb2e89eb37e42560e7b9118
SHA512af341b48f305780979e75bd393afcedc82d34e8a8a43017f225bd6fa56274b1b5fa4f6f57d6c4ae3ef44a0ec781689ea0d799a3e9ee8c70186ccccba5b67eb5e
-
Filesize
135KB
MD5e051c1c2270da4af7dd24d17e1dbc72d
SHA1ae3ccd1a649acd922b4e5c2e1d6d66893c29d288
SHA256a8d3713971feb8403539fc280cea7a79b7f7fbb323174d004de0b18e5f04cafc
SHA51227449b63b16f497bc806cc69f5f7283b02c62ff8bc08c98d134349dbfd50f60ba874b26886d9bb3e972ef9ba8f261b83561622a8bc907ac50aea163795bf62f4
-
Filesize
140KB
MD5d6ac801b12794d8c7eae14a6e887487a
SHA119a4683843551a53b1454be8b49dc6e6d56e5086
SHA2569f0372081b49f61016bb96f3bddfbb2e283a1d942091ce43ca47fdcdfd6ce372
SHA512957ed6fadc58127acd99fac672a8989dab3016d20718a5810861502658687a9a847a49437dbd067afca2bfb73693e42d30e089f7d504d28f84a92d3760f417b0
-
Filesize
172KB
MD58f30d6d7617d5e8d3bc3207283c95964
SHA18e30cc5d771ac774f5062edfc7a86f1952cc9c7a
SHA256f80d8f39eca707692e2abf8187cff79b1c4040312fea1bac3646b875facb3601
SHA512cc8b631d877e5262a2110c29ee305d46b800f9b312508e163a73944ea57c9d3eef4a48e2a63b15c181ed6bfb1023b19969e8935a8db6bce2504e72e6351fcda0
-
Filesize
138KB
MD592f0ec1f15e67a5c84d959e7249a6df5
SHA1aab1bd1a8d897a994e3b0106d6c9b4b83d88ae14
SHA2564352e9f10f4716c094e1fe7529da7210c24f5f11fcd828d10d3a6777fd6275a8
SHA512ae30224b94728d171a8ab0b785276f0374c7b6a47cf781cd1b6f29e3887dd3eedc662f08da4b65aa2a4b186bdfb1c6da46540c2a425d3da7b3815f51c23e1153
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
116KB
MD5bae1b4364a3719396c00713d3e09fa67
SHA108725d550db7a1897735466b531c4e51585e3ea1
SHA256d6e5f335791803b9fc94eb40f40dfb9e6b38f301c478c32afd613554319ba480
SHA512d9e98b30a48a65aeecbc55eb92ecc48fe9a02102e3eb524bbc681294c42019802f04a144ab73c9c7b96ade3d1c1e6dc6a4b6eadccda79d38ae48bb58eccec9f9
-
Filesize
114KB
MD55cf6321f472e7b5b94fc79eee8c69a2a
SHA11f199be404d382325a37ce507c198d30392a3d26
SHA256b04c8cbc7e09ac0eb82d307cf39eb75e33c5503ff39407cb7ca9027f19224f3c
SHA512422806a6df6667cdee782236e05bf2d4a8273893d267da6b56440c5bfa3c00454445c5b3333ee42ebe0b7851d02fec403ec40d7769d48c989f56c9a31ada6287
-
Filesize
143KB
MD56c05403d159495c8f1ba7b3b29ad6c7c
SHA11d75ffdef4a91a4669b0210648a3ed6c14af991e
SHA25672c68a488b24ac14996750ea70e19757919871b6930060b703b19c1a12e3e3bd
SHA5125bb8c4413a0dc0036eaff7513549827eccac4a206e18505b7718a843edff279eafc9b886f837727f1ceba98958c089241430a70a3bafa1f605182649f1b08bc1
-
Filesize
151KB
MD5f92fc294a7cf467d29696f079126bf1f
SHA1db71f2e8c8835a3a9795a0f6f2427bcbb8c9ffe5
SHA25695a5839a55c200218fb772e485ca82371d3f218451c90be2322c7805758fad16
SHA51274d981cb5293e76985cd530aaaba36f896e45a2eb493693b31966a91b2b7b8888f6cb0c6f1e07947f5955acc61df496a6c907792e9d4fc4f06817974082b8969
-
Filesize
136KB
MD55f6babddcc15bb2cc219ae1bac85e71f
SHA18921b0c01113749a248d8dffdcf6e45da7de6204
SHA256e6f4e2c6a9574c0d13e1faca9d0df5498e53472a791ac5982bab3343a5adf007
SHA5129b0bf3a25fae5f61338981c702f25d4884888f7214b7c695c8654136c6a006eea62e1634531c62f7d3cee3fde5d712fffde2450606144a251742fa2385b7b6ce
-
Filesize
175KB
MD531a039dab5bf2369d5f18be43b54825f
SHA1273b3124ffef976acc21d40e8b1702ae4e0c2e65
SHA256bf0680544bbcf981e6e1772dcc0eed3a3e227de4a7a18ca4f4048b42cfaecdcb
SHA512e6d24761069a1947f0835f134a58c6d5840bb5954e91940ff692cefe8eccf1679bac6ea17a8051c3a4753b354ef7509e7faefb6e9596e575764137f39adc4243
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
148KB
MD59db628e0b7a942625a2d74967e07c9d8
SHA1101d1a2a7b84ba7b00c869c9291fccab4e242cbd
SHA256c08c4d6107283be7bb2b82511f69cfab9eb8391915d92e6be562d3717cfb14b6
SHA51285ff7ae9ec654d3ff0ab37dd489515fe2f93745dac04cf7b0ed57c56279aa17b0b3f69eddc2abf962d1e026ffec3e2f3e4a3681ecb758fb4c59f10a542eb3ac7
-
Filesize
137KB
MD51a9b8dff97e783b843083d94a66a5516
SHA1c90e23b60d363445afb647e60f874e676dd7a067
SHA256c1150b321cd9be33c72e06cf05ec9fb8cd82028252b3d476b3cdbab298f81b59
SHA5125827c3c811989e93f8fa36e1f8f22fc6ef8d446e8c6f59a9e4555126b05f393561e1c648ac815363027da3e85620d0d16686c68caea208a78202fef3a3e251cf
-
Filesize
150KB
MD5f18021507c11a224edd3fa76e63fb30d
SHA12fd43d7652f6e4cf0bd3b80f9c347c7a3bbb7291
SHA2569c764d07df8f7549eda6bec5637fd6cf31b6b6910b51172d5af02a264368d968
SHA512d4f5949bc8af3d01e3bf752021e21174ae05bd086b72d70a6474c2d3f8dc262007e811bf4d234679f1ee482d71ca8aa9ce4f0bf09dfdf23562c7ca2e650863c1
-
Filesize
167KB
MD55c20f5a1fc919edde19833bf53343352
SHA1e8d40e78bb817d5028f26f7d5a990207fe2a250c
SHA2566d6e6b54cf325cee1908db16e710bac2ad47b3d08c863b541f3a11dab38115f8
SHA5124db92c8cfd1b20be9f110d7faead26dfd40546c4b0031b6b8aa6020d86f794c7218c21b440d03a0899bce676c8aefc464c519157812525cc14ed8b8d3bb117c0
-
Filesize
175KB
MD53df411bf48202b2f6e0fed6588d64dda
SHA145df932049b3ed70c84edb5f1f004b45aee558b6
SHA2566a82a8bc0755c2835a2f0870d6cc46f25f1fb087478113eac9e903c5b81023f5
SHA5120be63dde1db905a62b1c887c331fe3e5bd4cda6548775aa7f95b297c30664a31e49f5c5bc23b846d84be3df3d595bca91873548cac3a2328ee74671f7f394ff6
-
Filesize
313B
MD5ffb72ab4faba49ad441ce07db37dd8b6
SHA1194e13c1c32ebb6e7a1dc912261cbd58a82ff71e
SHA2567bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660
SHA512517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257
-
Filesize
115KB
MD5be2725bedac194d02e90d650ee4b229c
SHA1ccc424a998c13579ef91543bbb47c820d2d9ab3d
SHA256e53e1d903551c60d8b267f07ed985fd62cad8aa7e40517cf19bbab822cf7c6e8
SHA512ba3420227b00b0ada8a26d1b21da2e7db36b7c5deaadfc1667d19e156ebd5287e4d1dabcc333257a6771f73069f6a053ef06e28358f712824c3ac53edb024ad9
-
Filesize
136KB
MD5dcfe689d0d20fbe25d081fc4d3559c33
SHA19de55574c85b902ead969a57d95aaec39bf0eace
SHA2568ff630c3cd9e3072e801aa0f251913b9bc9b25263114e44a4f6705d3d4a2c77b
SHA5125921370e6b3b2ce9334296098a991ca3516847a131af7c6b23e249e14f376bd6e2d3894230b33040114b4f4827248b6ea6ad2040b3683fa0c369cf23cd8a6c25
-
Filesize
130KB
MD5fd1e75606a51113fa14e501f237f8539
SHA1b735de9f2a10927b9aa95e9fdd9d6a306f993902
SHA256fa3b47914846545936f652fa8b672f1df8c9a6b715e7ce718b5d5d9180533811
SHA5126ecc8f3ef45a82034a4c0ca986cd954b518d997e07b86ef68745085adf96cb0549bc52446100548b2a8cd071da3a1c3f1bab34084d4ac3df04b3c499f3c41792
-
Filesize
137KB
MD5e3c23ec407cfb997c351961e256f24ca
SHA1655a7f5c073b16843b0b2b1d55875bddfa910deb
SHA256f712c348480fc8f147c555ce94b735ae840c770271c6b0a3e1e0b9deca35d094
SHA512a06d20f96e7ad70daf4f67091ffc0a32d49c483c37459dd109aa2b8cf92e0b0bf1b1955c439b281206dfd3be0c97272563595bc47dabde04b6776d7c448116b2
-
Filesize
131KB
MD5cc492827d3268d7c3c9c1197b6f08887
SHA1fcf2d8067d34b1e245b28585f4ca3d3f516b2331
SHA256e275c631641104e5df0258d92f11dd8a5637741b12a63cb9af1c5a2d64d925fd
SHA51217a92e7576853d2b37b5c643172e1efdb2985b76f5a22d50ee95041007ed00de9a11d0722d6d8fc395488ec79c70e5e755096cbdff353ca6e4b810ad3c499b90
-
Filesize
41KB
MD5d478af908a56057c165b9a524876d389
SHA1c2903cc0d27c25a1c30c0d038c821ce635ba9958
SHA2561be0b9419bd27bf9ca172a71868a1fadaeb9a4132ab66a165caf65bd28306182
SHA512616786d5c7d2bccc5d33f5e6cd95ade55494f95368afabeed106b5bf4754a0742ea0d2a12c762ce23c803a58188d6aee1ee1144df022a1374d9cb3dbfa1f4aa0
-
Filesize
160B
MD5785b35b4ce9e5fff8476726927111ffb
SHA1318d9c1f7e0e14d6dff4a2dca50a38bf319bee67
SHA256f559ea9656a14cec67ef793c3db22076011a4f2f89a2b0f092d542dcb75e49d6
SHA512b855c4ddc06eb663aba8bfe77e3cc96f70b9ab453798b381535819101131b79bfddb7a1d3d76bb5e47bb343bad913025e15d4892856052fb2476a887d4171284
-
Filesize
160B
MD5170cdc0eb0795bd31b0f596d3774c547
SHA1da575da80905b468149f91a84c906e8196a41c2e
SHA256e6aed387f01539d4400ac508599a7f59ad2fe5bff49ca9f450c0ec15987a3504
SHA5127a32767c06275ef4a1b8063324a588ae4af05f72f33dfdec45d6be10d6291723a2db2c3906af1c66a197ff73037308c0fc14301e0d9c535cdbd8df954f3a7421
-
Filesize
160B
MD5e2d0d7033d819b6b92cfa59cd7773154
SHA1adcc49c20bb5f59b93ee56efcdb97171cfa67af5
SHA256e76e5c8a4ad51c446e14c74e415dada64c9d55a484839151c24773a762c7c5f7
SHA512d493dbcf693cc79add2fdd9d2a3d969a60ee28524287e95388ce767cf65d9d55e84f138efdd7406b95a97b58ae61c829a431dfc921f8c7a59d777dfa70c507df
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2