0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe
Size

41KB
MD5

8576124d80526fc66b947d6c17528280
SHA1

9b77018f04b1759e585437024da941a4e435ad68
SHA256

0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432
SHA512

a5b2ef947a5dba700709dc678caf53d40f0b0a59b785df60c43b5df50573942f2a5b4fda1334e25f05835f1c651379866629c4d4b8694e3ba58fe0f656ed049b
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1972 services.exe

pid	process
1972	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1088-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/1972-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1088-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1972-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1972-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1972-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1972-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1972-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1972-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1972-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1088-42-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1972-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1088-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1972-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpBC97.tmp	upx
behavioral2/memory/1088-189-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1972-191-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1088-268-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1972-269-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1972-274-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1088-275-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1972-276-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1088-386-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1972-387-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\services.exe	0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe
File created	C:\Windows\java.exe	0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe

description	pid	process	target process
PID 1088 wrote to memory of 1972	1088	0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe	services.exe
PID 1088 wrote to memory of 1972	1088	0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe	services.exe
PID 1088 wrote to memory of 1972	1088	0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0acf4c3121bffee71d9e99998f4e94e24149f0d96f4e376c4e5cfb2dbade2432_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0RV7W6KN\8B43SUO8.htm
Filesize
175KB

MD5
7b3e4843bc516936ee7a765973f5cb5a

SHA1
cee8bd2319dae10fa219dd953fdfa5435cbfeb2e

SHA256
54aed44ded431983733be84a461307b5d5c6797adfde903e56a6d8727e5a75cc

SHA512
670179970ea614dc74897563104705ad1935691f47e2be53aae5d653359f92475a6651ee8e77ee897a6863e4fb81f4fc78dca28b1e0021318defba73cad11e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0RV7W6KN\searchRR6Q891Y.htm
Filesize
147KB

MD5
40d5e40b6e9fb5e5b83a11456aab8fb7

SHA1
543ef83f48b63ec95b27d07dd38ab60c1c33d8b3

SHA256
a4b5ec7decae1cabbd14f132ceeb68c16a12c6494a4aec159d8a1bf000573a3f

SHA512
e871b8d7ee76b0953bca16440501d09db0dc4f672d93f9c582d39e515837c5f70d5b983dd1f5d13cc792ae22af973872b808ca584282436f38ade3448efd5adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\results[3].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\searchBG05DHG0.htm
Filesize
138KB

MD5
5509e83384cedef340218d3fcc24b241

SHA1
70def36e34115ffdbfc05158f80010074ca3f2f0

SHA256
c772ea20e4b592713a4dd24613ecba3f15b0e1a663812b8e68ed037bcd087515

SHA512
7d381fbb93ca73bafdc59acec968a41da935ab07176277c02a0e8bba711fa7e2a0445940153eac10fa476816016abd2596778a1617b08334949023f68c895525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\search[1].htm
Filesize
145KB

MD5
87b6c7106fc60987a44fbef1e0748006

SHA1
bff4be67f8b85a6b5c2e1143f8cc49bdf685fccb

SHA256
139f261f9444bb3317ba503775918ea4bbfa669b0465dc62b4fac9ef8563672d

SHA512
f99a7c482499af969f2334b40d54ba080b15f446660a913f8761b1bb1240509740c87d0bd2801ccd7fac3bc240393f30d50acda27ef7c4547c57b0607e501e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\search[4].htm
Filesize
149KB

MD5
16c15c630658cff4855175267d59a8d5

SHA1
b2a2b111c58a6dd109ea3f29e1c297f0052854b6

SHA256
cfc6e1397cb2f6a9410c2d2d634e0de07f43799a6a1f0d8817943fdc9f744d7d

SHA512
00d57a286401a2fae97df78a54d867757d298346d6f396c9e55196a506f6293a9c5b2fc4490d21a4228377ff9a7d2d680a47e7b3ff4a88c1fb45e0d99f0fbf8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\results[2].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\search54V7XAXS.htm
Filesize
114KB

MD5
1e8f6be031d9a347155c318a354b67ab

SHA1
50b9e6e3a26d26e9f775ffb6739926edd5361cd0

SHA256
e4b5b560f4f405dceb9dcbb0d8f8ffcede68408398dbc0a4d65e514e22a234a1

SHA512
67ed24d7656b32423817c2d0438282e5ace39c2bac8f0e42680409a8e0c4d66a1f1c7f76f6cb782be6fbe6ff872f4265e4a7fd0acec9b6f161208155adb1d54c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\search[10].htm
Filesize
149KB

MD5
337b33a9636305d714f64b1ad563fa6a

SHA1
a9f2cef70dbbbef4b3a788b30a5708db84f44e7c

SHA256
ef416848d5e331ee9ddd24f9060a08b05bdcff6db947e47816cbf9518e6c83d5

SHA512
1a8b36eab3651d03100812149b9bdccad42c656a9611274e1ccb5b089cbf4dba927c58e299275b0f1d9230e4f31c26e277622593eceeaa613a9d869cc0b4410f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\search[4].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\search[6].htm
Filesize
113KB

MD5
0a26ac87fe9152b2085f792b53feaac2

SHA1
b80624cf00c08cba120ac5e624d37a2a321b4cd4

SHA256
a8ac2b99c7f08b48cfb6c4c685286897f123a3b91e5d950fb625ed1d43a2b1fd

SHA512
f104e42b34ce692b5439b1791f37944c22e0717e76d06b6a5515e05ddbb406f823593065a4c339c1be0d48706278114227a507803971a5547aee48da637f6a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\search[9].htm
Filesize
120KB

MD5
6f3aac67a5c9fa24edf9217810755141

SHA1
1aa1d2bf73461412442b3ec9f70b879f93514d76

SHA256
1368c0eee5eed8286b23ed0b283c05e434d4a28482a0238dda4f03721a0b2a06

SHA512
dcd4fdebb46ee9cb97160c03065ff70d15e383d8dbc35d2cd1dcfd9039322ba4d5e0d7360a468fae0be4fe6847a3ca572c766b025f496eff88dbd9196fec828e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\search[10].htm
Filesize
138KB

MD5
0b2f34acc31f3b9629152bc38fd33ea0

SHA1
b90921c725a73308117e3b2201dfa1dae9e9a8ba

SHA256
f87a4777b5bb31c7d43a50445610b6aa90a82a6a5a07274c82696467bd916fea

SHA512
d07f9c892869ff458a50632584beae0be0d017a7a14ad025c8b2e2771ceb513b5a57ecfdc6f33244fd152820cfbb4f3e44b08f3ac484ad1018cd43b5b1bdc267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\search[5].htm
Filesize
115KB

MD5
8b0f1af19e105781527717f37795ff13

SHA1
e7b040522baf99840a587173d3fb9eef8d12051b

SHA256
d7fabb9db71c6426a9b703cc69801e975ef29e3e8b15810f7c7a51aa45fc4e89

SHA512
ed0626c3ea09520d74b5a38b2baa55a5548091ba0ddd8249ff05ca6d253b0a3b7ab1f7ac4a182eb71314d9a691b1c9a735f9a4bea42a688d977e7866b011982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC97.tmp
Filesize
41KB

MD5
318b52a13d8baafc906e31ee9d8bb8b3

SHA1
06d7973f9a6bae93877439f9bf2be31eaa71cb78

SHA256
29e8ec9200325a0e5f60ea31d32b0f32dd9abcbbd5c489f03e003d7e41a85515

SHA512
f8adae9623184e0f72046bd476e872dae6e42feb490206d7273ee4541be85fd5a115d129256a7d4cf0a7f971127e332a321916e4569f9563c7bf998bdd91fccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
d7298dc0465879674d0b8665b1483298

SHA1
b7fd4912dc509c3906c4443211bdaae645067625

SHA256
471f573d9020c7ec8ddd631e7c715b1781345c890e8ea06a9330b8a2a14c36dd

SHA512
d60f097bd3f8111e9523d32b438ca35380f27a6f5a3731bac3097e7079e614d66351b702288d2607c54cb0580258ab30edac73a1e4baa17a88ee5472a26e1c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
90250ac630675039aabd8a92e630d64f

SHA1
9dfa04882926cedf8ba0a267fd6731f4fa7f0137

SHA256
57090d18e280f635c4479005f1ed802853fd518d7def3bf7e86459fe3f5edf2f

SHA512
d87f947c8c2f5aa2dfe3225fb0ed83f0b5672a78c6aa4333d42395bae4ec787ad402122fd9b140463569f425dd786b4e0e834435a2b8a2e15407798cecb39a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1088-189-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1088-42-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1088-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1088-386-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1088-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1088-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1088-268-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1088-275-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1972-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-276-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-269-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-274-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-387-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-191-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download