0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe
Size

41KB
MD5

f86696d3bf47cd6e54b6091552ddfbd0
SHA1

f18387b58964b72f4acdfebcee8e5bd412196412
SHA256

0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc
SHA512

64ba3396eb6a50ec0d72b8979b5c0828bb618023113a0578d3e3ad40904011910aefd09274d3b48c451d6bed84effe996e081fd969982dea9c1e5548cc16fb5f
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4984 services.exe

pid	process
4984	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4248-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/4984-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpE164.tmp	upx
behavioral2/memory/4248-341-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-342-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-498-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-499-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-501-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-505-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-506-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\services.exe	0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe
File created	C:\Windows\java.exe	0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe

description	pid	process	target process
PID 4248 wrote to memory of 4984	4248	0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe	services.exe
PID 4248 wrote to memory of 4984	4248	0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe	services.exe
PID 4248 wrote to memory of 4984	4248	0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e75198658cf206fef1240057e62b7e90dca5de377ab9f5d6649aad84c26a4fc_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\results[5].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D5DFSS0T\search[3].htm
Filesize
128KB

MD5
2c6daf2a9676d66e3caf109c267dbb19

SHA1
ef23ae46ee98f7d3ca18e6529554403acf0b9557

SHA256
7b87fc2745c0c4318e35fcdd9603ed28ed285eb7e47b62d50de0147ff580ccd1

SHA512
23cd5342d2ebe9c37f4e91db7866e1557ab693ffe84ab28417f4f8a1ffbcd5c2885957a33efae580927c8ae6a227754d778fb8845df327aea59c2ce6972dc531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D5DFSS0T\search[8].htm
Filesize
173KB

MD5
c001ab3ee7abd515e77a23377137be62

SHA1
004a7abeb02b4e0b0142a9e3af441da7f1bb47ee

SHA256
76c2b6874005c22b612c7112355a39af4c1778e35dbf821712f697db096ee1c6

SHA512
5c9398c136d57e9215e58d9e8935dbed071e8ec11eec7a271d12ad6e3f4d1b9160a2b97529875265134323b70a4517a04de52b317fcb613b706aafce22172508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J2J1W33T\6RM54781.htm
Filesize
175KB

MD5
edfee61e0a651d4ecd6ea0b244c8baf3

SHA1
d8f3b80647c46ee2e3bf463a6eff7d9c4151ba53

SHA256
05cd312bb692532d9fb1d2c09566e7b8b514f605e6deee7875466ec3815b71fd

SHA512
a6d7e9835703870497754137d894440bc579ad4ed465be14b04252484a50cbefda38996c864329c624eaaddc9debcb2c5fcf46a13faf2e703d2a7a553da1e62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\search[3].htm
Filesize
131KB

MD5
c33a9befc25934aadaa62a2710db6b99

SHA1
d14ebe520e3623d7b806cbdff304a2153fb8a9a9

SHA256
4345d95a34542be0b616cacf38564074e402ae8a3f1e2b7da61df2f179272074

SHA512
3ea61bfccd07b54d400a0dd944c5503b857492565107e52430b0265cf7beade7c1da0819becababa311e17471195286ce51bf1e34af3891c077385a27f951dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\search[7].htm
Filesize
117KB

MD5
cf6b8e559017a8826247678206b84725

SHA1
81f1877e314d48e59b99e211b42633a3a4e8678a

SHA256
faa712b28ba557c2d87df6ee5a43f31144062126eaea9b988ee914cc40c75e39

SHA512
de3618e4ae0f31d6447ce2540374d6c2976f81daa3e2f87848b012f05f22c2cba993b5de710d3e307827f144318de9eaec595d56ff6450a5e07e2c6615d1072a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\search[8].htm
Filesize
92KB

MD5
1dec6a50ebbd27c6a4770d397b99be6a

SHA1
f951b4deab4812c30b12e9ec97799c5eaacd0784

SHA256
e11ac5060ab765b225ca17f020e63979b285957414ba72ce09319c5b93d075c1

SHA512
0b601a96be76410a2045040b86d55862d333368147ad917427e648867b99eba199a1d5373e13f77a25627fd2660f87797e86c4f981c3c7829377a12b79217e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE164.tmp
Filesize
41KB

MD5
916d5d2acc4d2c155839b5626947562a

SHA1
b5efb73029483209832de67b69c813699d264124

SHA256
fc950f877d629839e887a69dc5f13501ff08881bd5f112371ed3d69d33924765

SHA512
6b32c03858230ed26cd1cd6d1677f463f827ba12502293221517619068abf7ec3fbfedf0060c3ea23f0f553785234b215dd65af3f579acdaf15cc0537968407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
ba56c93e3022cdeecfe55e75699ad657

SHA1
5962fd99857640c1222cb70604a6c581e5f150ab

SHA256
281f1fabfe7c35b7e3fbda395e5cd98fa0883cb26e58f09383662a22074a83e0

SHA512
c8c1cb6f8ebd934e0776577af4657145d0e05659d1711ddd9b16f284709dfc4d4faef97e089fb009690241bce30e6a19890d0cb1b39bbc6d89ffca418235eeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
64d24e990cd75afc10400ed641cf00f1

SHA1
9f19e4a03abd6072166e839bc10f4a435b3ab62f

SHA256
4ee37e03f53903da7f887ccfc2eaa6ff262dd289438067e543cde02e5a77846c

SHA512
74070036384a60a980b29499a6660e0f9007907e80413363bbad721df45ec8867b5b22ac8ef4b705b94ab0284c74bf1ebed84daa33f8dca9909b94485d829026

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
4b5f58e1ec45884d99dca0a556ecbbec

SHA1
bef98dcc3d1daab6d2902db439580bb216838004

SHA256
b0b317b7722d583beaada953d3fb853e494a981cca7a4c24e4611807d74b570a

SHA512
6f74b587070dc0fba59d003a3b559b4ea9f51d4f53140b83a317690ca54e138cd039fd5cf6341a07667ca533d6df375ffe3a7aeb4431e55c1b1dd52e32cbae94

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4248-341-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4248-505-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4248-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4248-498-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4248-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4248-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4248-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4984-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-342-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-499-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-501-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-506-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download