bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe
Size

29KB
MD5

568d1460dd705eae9190a097a039fa30
SHA1

1c998f7a51d986a2fbd830a54620e593fd4b4d35
SHA256

bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31
SHA512

70cfb197b3677a773167fda065c63af5a51faf08695d9c4eb5539e8a21612b5fab283fc4dd4951bed9ce344e9575e80e922aa25303f272f91f9e575b54623c1c
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/WqGL:AEwVs+0jNDY1qi/quNL

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2480 services.exe

pid	process
2480	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4168-1-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/2480-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2480-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2480-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2480-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2480-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2480-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2480-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2480-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2480-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2480-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpA352.tmp	upx
behavioral2/memory/4168-166-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2480-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-249-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2480-250-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2480-255-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-256-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2480-257-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-332-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2480-333-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\services.exe	bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe
File created	C:\Windows\java.exe	bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe

description	pid	process	target process
PID 4168 wrote to memory of 2480	4168	bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe	services.exe
PID 4168 wrote to memory of 2480	4168	bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe	services.exe
PID 4168 wrote to memory of 2480	4168	bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bad6b36eb122bac0b8f7de44e825aba1d8c9e809fe38666d48a07e9d2991dd31_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\results[2].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search2GR32J0K.htm
Filesize
149KB

MD5
00dcb695d1e6baa19df5d95c5985d78e

SHA1
94bb055d1fc4166b3bdfcd2f47b77d1a005c86df

SHA256
10864f829556be771718c6e6bbddafe82af81460df05f64685ef2508850fcd55

SHA512
b9a5809bebb22a882249ab7fa0e7b77b052596e09c953742f68c4099891b1d334352e13775d50dbcbbfbe34334232108597b6faa87ebbbfef4c43d88e19430a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\searchM2MQZL18.htm
Filesize
150KB

MD5
681a717a209b934957f29aef1c5653b1

SHA1
6d1ce876475f5c560b1755f5eddaefe10b92411f

SHA256
1f25e2272dc03a2f7db14eb5c33e8d401c560d605107bc71ffd3491694545735

SHA512
2c80e6e09765ca5cfc9ff24a0516fb59ef9d8966fadb3404081dfe21b415b13bb3495643284998d576f9ef4812b8de9f656ff47142bfa32f06087a0deb226778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\searchMMP39GNZ.htm
Filesize
130KB

MD5
cfda8f7c6cc1b79c0317a8753d589784

SHA1
c40bf3433b1419939b47d0ec37a5fab8f3320b43

SHA256
816639be52f4d5e8b91dd237f838ee445f4f4aefa4d71b36fef34d979f8e0970

SHA512
99f9c099d384e1c5c07499963dfb72573370cabbe65a721af9fec5240ab945db17e689b53043663f2d7f6d7bf17adbda703007bba24170c3de69ab14fac0458f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[10].htm
Filesize
133KB

MD5
7bf897de14493b2406156138d84a48ce

SHA1
4db040879c17e8cb5235fd6aae215b3e091d8fdc

SHA256
1011d77d1756f5fa74b49ab305024797bda42b4307f89710f7642405925efaf3

SHA512
50fbe2bf974a47c5b2d0a53658f1e9ff7d34bd660aecdee067186798e6763ed26474cf2414b294b54dd77971f5ebea6f39c06fdefdb907e545729a5f9c246793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\searchKK18WHK8.htm
Filesize
130KB

MD5
7c604063f3954d1937e5197cd7d7d034

SHA1
36b6127236de1f014c32314f9eab3035b756487e

SHA256
18218da696aaf5ea744e20dfd72c78ab8f46f63be32669436cf20806948588bd

SHA512
54f27d774cc3c3f5088055f2253b39d9a46fa9fb4bb3616eee212b6ee37234c3bb81668178a27b0971c2bbab2f15451b7776684b635ff04563e57b20ec20cc43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search[9].htm
Filesize
180KB

MD5
d752fb6c852df0827c5d6447b1e36275

SHA1
0f66bd7b8c3b9a10c047ef455a7b109d64d0332f

SHA256
f6f9fd72ac75bdecbce6f7eff793b39b7fc25743b8437c07bcb5f0fb82bf2c59

SHA512
6ee415efe66f8dd2204a7e8b1d30b1d029f50855382b6a56fd55e59ebdda54e75e29ebe0ac75a264fce503aa4da011640e801bd6f4e9765e28db5353a6e09b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\search[10].htm
Filesize
115KB

MD5
9ea967b56b99d728d64f61c3b96f4ba9

SHA1
7e3475226d2ab9b3786e384e718e1e6e34223550

SHA256
172cffea0a0d25d5466492fe650c5ce322ccd1ab7faf9262fb143dc3a3b15b01

SHA512
3438c076fc38dc6e895939c3f29c7d87c00bca6e589b5390b50fac1163a0784bcd3e3e7f28645c5bda67c54416b82e9fc1137d084bb24125694d31fb09028cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\search[4].htm
Filesize
113KB

MD5
0ac670651ed955ceb9a49ece4fe8fce5

SHA1
bd52b225dcdd3d7a681ebf412de827053a4d1837

SHA256
6910755a0a2ee69de7ef7e9680cf04b4ed9c1444df98cbedd1abe8ca06056f6d

SHA512
08a02ca83ced2408fc64600d0799e783f63d06b95a66aa848e7e0a6c61b14e56c884179eae8cb957468e76984616f8f25a3c9435a52fabaafb555afb4d4a8296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\IA45A3R6.htm
Filesize
175KB

MD5
ac6c7317f1b62c5cdfb37d712fafce2c

SHA1
44ea3ac30a0eda4c2d0980bcb74e1c1aafad78cb

SHA256
25111960a7fd67f2752d7860ee6ab0ff5538f863fad56ee6ee5b763c81c0382c

SHA512
a164b64f7ee9cec9744e7909fed13cdcdfe4642c65da20ff94ca37948a740000dc2d9163893c65011f78b2d472faec266b4fbe8b619181ff307ac71fc2bc6450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[6].htm
Filesize
187KB

MD5
a9fb5b7d4de9a269dd4ae32aba3d3b3f

SHA1
4baf3af5f43df6412eb9e9288c5f13d6d91d0403

SHA256
5cb23b8a95cc2c6295a82dc5343ee6cfdf3dfe212c30e973fc0a783fc3e653bd

SHA512
5219851aa06581b84d65f9b6f433e4aa27f20a31700e5a22147266ccf0fa80c6ccf3cac3169698bbbe456daf04c6fb78a1f02c94c16920976ab5a041f589be3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA352.tmp
Filesize
29KB

MD5
6eaa235e75df375c9ada8c5ef01d8f61

SHA1
d7377277142cded5f29bb33bae6c73c90e089e42

SHA256
1108a38a9bf25691f79dc21bab340fe6e6762fc642ee2801fef70761eb737cc5

SHA512
976cbdb7733d0f8e5c9da792639b08c3d74692bd371a5e6745a813bca0d1494187354ef55a3e922500ffaa1328089e0b7384347a5ef80f1a116214a9eddb2549

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
27ea25a8f3c6a437de404d707cb3e046

SHA1
bd557af22d5e0fad018d647473f50c61a8066ace

SHA256
0bb81548b25d89ed6432aa1975c4ea3b504367c08cd8780577fc1bcf6b8afd34

SHA512
37a18cd25292344bab577d2e0744fcb57a86ad783a9044b166648766387fd7bf12deaaea548775cd930a9946ad110d19b91e9ba2037d17e4cbc35723fc9be9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
37546e150d5659995690bc92ef348f23

SHA1
b109d5c35cf8ec248b6313567da9740c18fba387

SHA256
515f40e74ef79166ec2195fa33de11a824f4d8cb59372a14ebdea67ce7e418dd

SHA512
064143d151c8219ec0f3112cf9946514d4a3bb519fcc144ae81de7dfef9fe57b60acc95da84e224f2a11168fb3f363f0882a7fbd19b929c51c7f0367015c50e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2480-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-257-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-250-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-255-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-333-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2480-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-332-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4168-1-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4168-256-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4168-249-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4168-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4168-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4168-166-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download