1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7

Resubmissions

30-06-2024 00:53

240630-a8s52svakm 7

30-06-2024 00:41

240630-a1t3datgrj 10

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe
Size

41KB
MD5

d01480d348c7f7c303075f53bda8fe40
SHA1

ce88a158b76e21e47412d10d471e77b7936e1a02
SHA256

1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7
SHA512

c018be73d8a7237ae6128416cfef6b04ceed0c47effb67bcf76e07106d52a63eb48e643fcdde5c9cf643a2060abb7966d29757d2d6ebbec07bf0c61b010d0790
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2180 services.exe

pid	process
2180	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2332-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/2180-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2180-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2180-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-55-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2180-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-57-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpD2C9.tmp	upx
behavioral2/memory/2180-129-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-267-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2180-322-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-431-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2180-452-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-453-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\java.exe	1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe
File created	C:\Windows\java.exe	1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe
File created	C:\Windows\services.exe	1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe

description	pid	process	target process
PID 2332 wrote to memory of 2180	2332	1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe	services.exe
PID 2332 wrote to memory of 2180	2332	1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe	services.exe
PID 2332 wrote to memory of 2180	2332	1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1415e790333a048eefb919921346c5f9f9d179e01b959204d2fb892b2801a6e7_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\860BJW8U.htm
Filesize
176KB

MD5
57dd45a0c1b343a9bca591323c107790

SHA1
35904f613dc7df7a5e8c972eac964ebf691bc7ce

SHA256
bfd48e9b5e6f7867dbf6dc36de04b1bf45f20164a9779e57592bc702153e0417

SHA512
adcc7988c716e08eb69638983702aea2165bd5baf79bc04b07cef041ac21984b9307e23c9c276b729eabe54cf85068e2d86879dc346b15b7543dafeead21b01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[1].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[2].htm
Filesize
113KB

MD5
ae937e06dc9b5ff200e5903905184e78

SHA1
93da7a31f0ea03a78b2afcb37a6e0b65c487191a

SHA256
f98e57df0de6ec43a548b4ea91b455ac05102df48a41b23f28c2c9924c1320d9

SHA512
ffb40a7c106d801af6162f54882d16fb1389408752659b96e7a49e450b16ba2a2e85afeeeb92e2497f4656e11ffd114d6f79da3e8269cc09161323be04d6ea2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[3].htm
Filesize
144KB

MD5
4e5941c8fb2eafc57c6e7318a7f7bfa0

SHA1
5d8b2383246b1cb4a18b5fc0709f6f0f3d676ba0

SHA256
e41266b30e28ed3147b8a3d63a63fe8f82c7e7c083ba47fae8a0af9a7e8fd78d

SHA512
4636651d524ae8dbc5de1a0a27e3c7f12bfba2f904423794c2ae43e270db805df0b84405e004549b6d4a0a1602c5713023c1008de36a050958565d6f6047ec08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\results[2].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\searchW2BF30KJ.htm
Filesize
141KB

MD5
145f316181b037be30955686c775f766

SHA1
ce9b520dfe36a0d81e6958f825f1c50295edc509

SHA256
777ebc379cfed0fc5668a31c8b3e0756ab36823c1c572c1cdbd53e85a4b5fa9f

SHA512
01bc8f309f1f6b3402b0a62bd84188d2b15a01d98ab74ac232b59d9b0e787465114b4e3ca844aa29759df4ecf5ea875fcceb21f5cb2d492b58a79a5a69a01d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search6NK62B98.htm
Filesize
138KB

MD5
f1daff9b129af7b563b0eae02b558497

SHA1
3b02cf7b5f2da6702bd581c8782026cadc7e7dbd

SHA256
0ebd1e31a7e142cbd005d0b73f579e679ef423d2526582e450c30a713652a351

SHA512
4a0f62231f78bddbeae63a872624f6d63f9dbd0c945d5092d7c8556191b67aee1f1846e68ca4a0bfe8ae4d71b6e17e42e78a4abb5797f298374dc939d2b03a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[5].htm
Filesize
153KB

MD5
bc210bc0cfe47a534a48768beea68f21

SHA1
0fdcd9d9bfda22a0646d1fa72846f1e546301a43

SHA256
bd798b31161497f6e53ef3f6b2a38dc2ec78139384e8b75b7fff280b8d4f2b70

SHA512
a64c6886872c2b0db0a7a03b2cccca12f36b3b1ca05084f0038ef7577ac703e4bc3a7b3642fbdffd962d2e26c23d22396964132f550c3825263b20678808a8c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[9].htm
Filesize
106KB

MD5
a7b7c713c564b4d1d35784aed45ff552

SHA1
3787a08c12c9950ca56d913eb8862d5fd98093af

SHA256
0d6cc86f9f66e592712b513a4e47d4965e7b1d19c081b2acc5f1bb5ec9752c8d

SHA512
0145652c7dee2ded4af8cd67be147a9a4032417411dbbd5360ba2ebbdf9f62e11d10d1f3359f59b64aeea8efdb73c0f978110c3cae6b32a2085973bea6c96bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\results[4].htm
Filesize
1KB

MD5
35a826c9d92a048812533924ecc2d036

SHA1
cc2d0c7849ea5f36532958d31a823e95de787d93

SHA256
0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea

SHA512
fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2C9.tmp
Filesize
41KB

MD5
b6a4888ce480ec655fcf4b5f51cfb959

SHA1
86133f2d280962f169bc5db1e6439a479754c889

SHA256
36a8b705502e940dd66d30de3ca77dcae8ea78cabdc083eb59305324c9a629c8

SHA512
32a28f37831b0351a7eec58ffb6e378cd089d0b600326406f61af56cc6fe2dae7013d2142ceaf1c9cdc576b8be4c82e910d32f2c9a694843de1f45aa2ff9fe0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
fc11f1f2d0d7fd3d62957ad1b353a0c7

SHA1
fd4963c90fea5a05642716f5c9f9df2a2827906a

SHA256
efce8992d8b7420adc6ebcbb9e5c3145985cb615b8f1521305d63f77d1461664

SHA512
f43c10d095838eb4ac15e091827e160e5c2f55e4392751bbe09de5319dc6bd1bf7f9352a06966a25029c65cec035562cd87d8f46cf4c9db19aa76d766c5b318a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
cf3ce8512e0aa8a31e7740d3e4a748f5

SHA1
98108e9a09d251ac969a8664df84e83bfa0ce3a8

SHA256
a0a0dd2ca65dd826009b8bd0a31056647700fb711ee51f5cb0473e1129c239c7

SHA512
5660f8bed469a4dfd7ffc767cb509b9b1076efbc5976147b2a8ed12ba1dcbf92fc7ea9a35b9876e700e800121a874ac9b678d5bdc2219922e885257d098c2f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2180-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-129-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-452-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-322-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-57-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-267-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-55-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-431-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2332-453-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download