113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe
Size

41KB
MD5

fa8c90a2a7466e7e0b8ac85ddb3ccc20
SHA1

b47e0b3773f8559b4400c09443143fe7c0c6805f
SHA256

113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd
SHA512

9d8dc4b9e17d0a603bc070b1fae034bfd794afe73042de45a9a0819edf9c7794332370ab6113a19f34e5c5a91ef7f6cd8ce1d3bf10209f6137c7da0a2396fed6
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1448 services.exe

pid	process
1448	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1800-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/1448-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1448-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1448-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1448-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1448-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1448-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1448-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1448-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1448-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1448-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1448-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1448-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpAF52.tmp	upx
behavioral2/memory/1800-110-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1448-111-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-253-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1448-297-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-380-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1448-381-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\services.exe	113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe
File created	C:\Windows\java.exe	113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe

description	pid	process	target process
PID 1800 wrote to memory of 1448	1800	113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe	services.exe
PID 1800 wrote to memory of 1448	1800	113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe	services.exe
PID 1800 wrote to memory of 1448	1800	113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\113af269e50fbc97602624508562b0d3edfda3caacae667c6b5401b7e10bf3cd_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\YRYCRZAL.htm
Filesize
175KB

MD5
bcf3dc6efe7e1ebed2bf54abb5f1ced9

SHA1
fe3d2fa3690a3d30f6dcaf5c7c76321540cec92e

SHA256
abfb0a20168d9734b804efcaee62b05c9c3635b983e4cb9e56afbd8c6aa239e8

SHA512
85b3d62e3591df59ef9439dbffe23c72555347938a2d95ac606079341b8c71807574467baf155f790b466d21599891a8fdf047995e7a3274b4a691d53ec61012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\searchYZFRLZS5.htm
Filesize
160KB

MD5
573f638258e48f1c21aa6fc7d4ce4b34

SHA1
88363fb49d90de9d8018c37800c45c0944821563

SHA256
834b14330f65f945b508508ef2d0a43bbeef5d30394ab5d27d400eb7e812e2a2

SHA512
0bce0a20d642c1dc8c4c53fb3bfefd33a2dbec297bb3605a0bdcad517fcbfc2f2fe77722731f4996c07c0ee997b42fb32a0ec8b876f1f23b84230f9303864e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[1].htm
Filesize
166KB

MD5
717e2b4f73d89c5203eba528b935c3fa

SHA1
d1a9cd0d2d63284aba9721b723d431b37d80901e

SHA256
4accf581a063f9da06db8d25c97808ddd2bb31aee7e002f06d85f528594dc86b

SHA512
edaa2d020c7de3895878694d1fd16a697b74dd4f651925c36b7733c13d0a80bdb2de69fb86c07a21d889f127ad6b9f6e04309a18a0cc5b09a64700fcc4988f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\searchTPT20ENE.htm
Filesize
141KB

MD5
e5ede77a486d2a4c21edf14d5b76b331

SHA1
4fc33dd76eb2f3762eae693d47cd60204ad5b780

SHA256
a1738b80411a9fafedfb70e4052a646f8ae474c95eaf25bb186eece646a2e70a

SHA512
56cffb633c01ba1ecfc358884fd2488a62b82177519bf9d08ce35db73609fca172f3e3401f168cc89454db251328adee3980a27e7b8d953736972e54c9b17f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[4].htm
Filesize
114KB

MD5
de8d4790a4a708b3628c709f54efd30f

SHA1
467c6dfed5f1105acd691bdc2661dd112a8cf02a

SHA256
a2fd2894da7a52e5dd733298359bc6d2b702b067f62910dc77476d5910e3f31d

SHA512
a529286c45db60490a1b10efeb259e4fc12fca87a41fd153fc9b15ceb9420bc836615371aa8551e038c82a438e8edc8c38f49108968468215d0be52909e0a537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[7].htm
Filesize
126KB

MD5
1f2de03377201a2aacdee0c9bfb9de3a

SHA1
ec4c71ea385b6f3feae8f6e769f558eefc9c7375

SHA256
62b7d54b5013e54a9f1a3d40487086bdfb5c0adc90314b9972dfe525a5870fad

SHA512
27a30303a3dbeec20bf965c8780a37728d5b97fed62696803cff70296b1fdfb89e31e8b36415a81b92c125766b09fd7d5183ebb60afd33394801f6d9a760fa58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search4W22UI39.htm
Filesize
150KB

MD5
6fea7b02a166c50d886c3ee86ac4f408

SHA1
07936e3e327208d288e0c88f2a80737b6c37c903

SHA256
7d9e1a4658d6f542b082f66abca054154c0cde85c59be89e849d28ea77be44fa

SHA512
afa598a544c871b5b15a02f66733f19ffce04cea71e7e7e505854205dd9aada31e4cd6afe21993d02078ee4d38b3e1ffb5f00a29affd2b50200c6e80dad60725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[6].htm
Filesize
150KB

MD5
5a57c4eea8a41d381c9b2e563bcfa44c

SHA1
745158546deb0afeea3c3f7c937538fc54a90321

SHA256
45a232c2dc5690d58e7d517237a2ac8ba643dfb37ee85d77af8584d8d7e8efc0

SHA512
623a7e3e5a6326e0d2cc9ed43ee7e81c03be0543f9b34e8d63a4db175efd8e441cd004fec68b8d77deaa5c39d52067d02ef12fcf811b23f7f981b59442b7a39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\default[3].htm
Filesize
305B

MD5
157431349a057954f4227efc1383ecad

SHA1
69ccc939e6b36aa1fabb96ad999540a5ab118c48

SHA256
8553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac

SHA512
6405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\results[4].htm
Filesize
1KB

MD5
35a826c9d92a048812533924ecc2d036

SHA1
cc2d0c7849ea5f36532958d31a823e95de787d93

SHA256
0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea

SHA512
fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[5].htm
Filesize
149KB

MD5
7841329635f3a8075f2388b466201acf

SHA1
79e532097c3ab93840f239fa989d913dea34ddcf

SHA256
401a639c0ba84184e19d804dfa21433943da046c1a1c62cc77f51dc759c0afc6

SHA512
d56cacae2782e9d4116cfe53e530443673e117344131ffd5fe1b227bf3b57239fbad38a1530ba0091d08f396bfc0752c8795fb6019a0d773cb4d716c02d52109

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngnckogk.log
Filesize
128B

MD5
e1e3f22faeb25add7dbacbc9715a6645

SHA1
173efff528a921ed14dedbba05449892d6fcf140

SHA256
043ef104909392399e96e230a0db49296f41646ca1df59425e311df471e4e06a

SHA512
d45aa22c2f0985f368ed2152c512e2f761013860d325373600b9bc2a2d345a5d67f16083e807953a6687f945f268a09d3340a5566f7407b3e5a644984c16ffb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF52.tmp
Filesize
41KB

MD5
b712a9ffc47102ec2fcd5a7b9dab062d

SHA1
22a16e2727b07b0043e585dde911ba9fe0b76730

SHA256
7a98ae19f86cae2863ffb0b943b5310d2371e000a3e188e44512ca1cc9025d60

SHA512
d68962b9ee9b465a2a7ffb73a4d0e5d4bad62ecf24e154c9ad9b02806e4a19d02fc940c9432350308b6fa1c291eb2de28594caf6d1aca7b83289ac4dcf12f0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
6e1da3672a71d58495349ce530c8483e

SHA1
44a3d51b170f3f7720be9425e8b6d3d3d8225ad9

SHA256
34fe84dd38c3e26a1bfd07108a3039f1369f8bd6cc1a04259caa3090ea2debfe

SHA512
3fce61835b6c7a5dc2e2de9866e3ad68fb387f29d85f039f7e0ce7b88e25b71b4e294052a13b2abebf780fafc526d84e8d3f6a4984196b8bbf2815b55001edff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
9e1b8835a5746715eb06989959219d79

SHA1
f40f7e464efbfc66b43e620c4acad4d36fc435ea

SHA256
4158270fd3e1d9b5144d09a66052b5309f8e7ff91ec8b672a9f1c2f55dcbfde1

SHA512
4d07a7d2c1474558a44c1a831e913c7ec92e454fee89749507e6343f573847de57217ba030955c32f080d538d3d2708b2b039cd3ad6a41124fa0915676dc9bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1448-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-111-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-381-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-297-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1448-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-110-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1800-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1800-253-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1800-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1800-380-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1800-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download