3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe
Size

29KB
MD5

c1d2f37f8c4af958518504a30e8cedb0
SHA1

6d8b85c22e3cfc025e7f9ca9c6368e345919c4ba
SHA256

3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265
SHA512

12d031bcfc83f1cc15a602d3f49586fa7eb94b3bb51ba0ed4c411aecfcca6609043bf1736bf62ce2f1d945b6512157c0cbe73033e68e6ff83e4e4fa66b89f2af
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/O:AEwVs+0jNDY1qi/q2

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2504 services.exe

pid	process
2504	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4604-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/2504-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4604-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2504-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2504-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2504-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2504-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2504-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2504-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4604-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2504-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmp	upx
behavioral2/memory/4604-191-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2504-192-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4604-305-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2504-306-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2504-308-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4604-312-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2504-313-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4604-362-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2504-363-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4604-364-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2504-365-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4604-399-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2504-400-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\java.exe	3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe
File created	C:\Windows\java.exe	3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe
File created	C:\Windows\services.exe	3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe

description	pid	process	target process
PID 4604 wrote to memory of 2504	4604	3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe	services.exe
PID 4604 wrote to memory of 2504	4604	3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe	services.exe
PID 4604 wrote to memory of 2504	4604	3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3948b9da5ad377018b073740a984e54445a56fe85cd95effb6b8401978327265_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0RV7W6KN\results[3].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0RV7W6KN\search[2].htm
Filesize
145KB

MD5
00441c408aeca465ed7dbd0aaab79fff

SHA1
82832a807655956474b3297e49c00020972a8fba

SHA256
5b2af758566afa79ba59ca79e0dcfd4793b8a185935ecec7c7242ae8ca34ef91

SHA512
87a273d3480a31cd81eebb38219b56c48010a7a4d7df9c707e34b5e634f00ad2d7dce08d9ef04c15b47606dd7fc6f1117d21ed287b12c5de25572f9c7fdcbc71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\results[5].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\searchODWJY3QF.htm
Filesize
114KB

MD5
7acd7d2ab002157a86a2a330805b8bb2

SHA1
19e07bd2dea118dadc97efee777c260a3ff1b6b9

SHA256
fb202c1780e543704b31ee353fd6c4b281abbcde810e2a90b3e5571eb46435a0

SHA512
93f6fb12f6d09b7bd54546a1fb1e18874727c1bd270d8c8ba3e7d8fcc31a724ab4094bc767feee03cdaceba293f10c166c13a55a472ac829f143c2579600ba1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\search[3].htm
Filesize
140KB

MD5
597f953d2c2bbe31ffffcebf14eeb3a6

SHA1
0d08755d01c712b8fc03e2803aea56b1163dfa44

SHA256
19e45bfe699dbb9af7a6579d71ab63f1961ef1494957d55d22874d2a7b0b65c3

SHA512
2170711f19fdf868b1e7908d7a27237c433982a61323bae36ab67ed0daff5b265174d4df8396f1db9309b31fcb77be82c57ba9cc20eb452e34379e5feab1eb97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\searchECWQS9VU.htm
Filesize
143KB

MD5
cfe2e7e76a771f150c23f01dc0454bfe

SHA1
79befd2c860c5b2075f68a221844479fb53b6bf9

SHA256
006e4547e0d7277e18d7a8ceb1677051612821e4e229f467d951e0b57d4e8509

SHA512
d9dd25868315fadb2bf2f120d66a0ad1313eda4a9980af0270357e83e47a845c829c59d01df262c6359bd1233db588b7f3b6522794d6431662bba4d736fe91a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\searchRJOVISHZ.htm
Filesize
151KB

MD5
49463e1ad31ba280fd5ff9ea0e7b66a8

SHA1
b7638a49f675feff1d8660673db96fd5b8e0b5ec

SHA256
cbd409e6faad9f2faec4d54520a29a4186beba4bb3befb54029ced35b916678d

SHA512
57af751ab3327282daec8e95b6433bc543cf461c7a6bfb493d940ee022c6b95c4218dd05a968081ef9f58ec853311f9188a9f981bd67ffb5903ecf388b7f339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\search[1].htm
Filesize
122KB

MD5
2d39c23b3a55fcbb57efaf8b4b89b66f

SHA1
e0dbc7d75b6d929e70ac16defa53f75be5d05997

SHA256
4a2fcd7b4664790c458c3eb555afd0db9b2a485e304d1140548a0b87cae64c66

SHA512
e33cd49828c6c4b983104d60c2bbe094c6abb97add066bd4e5a925bbd9ea4a31f9e4a4929ef2ad447f763fb1d97ad2c488d74e2a9ba782f36f0855818d35d21d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\search[8].htm
Filesize
134KB

MD5
ffc109f5d03962f1824c157a913fec02

SHA1
141c819b5c26fc9aac6f3be9960a653d1616aea5

SHA256
7882cdb5cead6df3c1f1f455ed86bacb779f5f47a04447b04cb5a8418f590fa7

SHA512
588679f5a16fac84d393602e1af3b33c35942f6bfa8711babb19ad498d7721d4bafc31943413b0fe22f3b6e4116fc9b4f93828f319882bdff9b0780b73cac84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\search[9].htm
Filesize
140KB

MD5
ca5178e07b80f0293f0ac3d36bcb0fb4

SHA1
173654e8aa847761ffe3be2b072a969aff180603

SHA256
8f105e9c34863817aa7e545125da0646db0b9d7d1c3983e0201319ab1917f0ba

SHA512
a65b2ae04e50fd487619896a2e27fa68414f18db38171ed3a24d1bf65d830f7b33c470b8590526e4dea20387bf9f5eef3e40d1455dc5dcf3e37d167d26f114a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\CQLHK4TL.htm
Filesize
175KB

MD5
12cb33983ce0d0044f35b493bc872663

SHA1
509a701006fd08535d9e80fade05e6d4acb07335

SHA256
a5f86bc067c568b67c498b5e589c65237dcd2ed59053e710f1d86270941b9bbd

SHA512
a4a9f0a788c1aa064ace48239ab7711de9315ffd66fdefadacab224561ee9198e05c5db6627806222105afce07907069017b4c4045ae166db87265743705cb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\search[10].htm
Filesize
172KB

MD5
be51546cedd2e530f67cddb9170bd6b4

SHA1
c330ff6d8492472612c6238f91d12394a16b4eb8

SHA256
88867de0bbabc8baacb9d989a3b718a4eee28ec4b03e78558d44ea95f41e66ce

SHA512
516f8897fc8ca7a016cca27ed19df1cf981749132d2dae36d6437b1ea42a51038209a484027856a2c33d57dc89cf4939d05e26283cfe9b06cf23583679e67865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\search[1].htm
Filesize
157KB

MD5
5bf78baf51391870fd3dd624208dda33

SHA1
85fc55a1564834d52a5d8c1a02c56e5675f8bb8e

SHA256
95ec1df2f1396cb05295252efd8c13a1b5da1e98a53348244b721f50b63924bc

SHA512
3deb908db0bb0f50d31022680dc906d91fab9d7534d6c035097324648afe6be61d82257fbca9168518b60f65c0c959d24ca7e73e8ca05ab40020bdae01f3bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\search[5].htm
Filesize
183KB

MD5
11b353704db3137da0de51bd8db4b3a6

SHA1
d3b35a9bd7ccd5d0be5bd3a0353f9cb6d73a334d

SHA256
8345b6c4428838b0dbe4ca8451d56f32372806bd0c2ae295f9dc8c0a64555ec5

SHA512
5d31c1911c4257322d7b73686e7bfd4b3db250351f402dc2275286f3f15b73877b38d07fa016d1b19ff5ba8c07d816619743933db06a78f8b0df4735b3fb8e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmp
Filesize
29KB

MD5
752d995e200e3345f313aa11dbc30f7c

SHA1
3260dfebfe73a3ace1276ba6d5bb187d290b0fc2

SHA256
2748ba53d03d174a036844d100b67da47c7b3adbf2e1f7cd167388ca74eec8f9

SHA512
8e351d5e1322b2c2c59dbfd237c781fe0845aa5889bed69255620f05c6d9adef8bf9934b5c06ab29d1d5ef7de0dd29c8bf2584a700761120bbdbd58157962d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
8176c9ed78ccb67853b555b0cb4b95ae

SHA1
5c91e6131d633da00d1f32dce51299b061db33d0

SHA256
f5736e836700a57d3e594b965bedbe358a791b4723cac3c307b153014450b653

SHA512
57740f61043416d4bd29ccc6f55d9c58d601f24af66983964d9e9bdbe327d7b97d23fe04dd256447160feac02a5b4878a175bb201baa250762fa49b75ebc3faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
82b18c0870351c6ad84b74e10b37555e

SHA1
4ec2f229b0610dfa74329ae9805ba6c8af18a25a

SHA256
47463a8babeec0ff91ae0a5e8e443444dcfc298516419a4a26b9a1cab24aafd7

SHA512
a2e8a69d642a18c70cf847ac80632ad9730eee5b835bcd83268e34fb92208eb4f8adf812ae285088f2db4f0aa137c8d161a847b92386b7bdf05f064973b29ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
d25cbf65faff81beac38c568c0f126a1

SHA1
7508ac627e97b29d6a26411189ccd8c4f4f4eeb7

SHA256
a2fa1475121323d5c6529220d3d07311c94dac1054b31ea00db6691b0af5a509

SHA512
e7b2af6dc616b0f7686590167d5aad6692fc0c20064cd61dd8eaaa425275b3a1f98844470fb42e5a558831a718f6fc72e22bd2ff15e7adf9fef46a1af1d07e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
8115478ad059b345f7f118189a120351

SHA1
38e18a0bf3b84c746e443590473e9a00278a6277

SHA256
b1b6b0f6d58c5d4436d65dd5b344f9aa0c44277570f3229bf7d3e76f39dfcc0f

SHA512
7afa4acba3e2b2b3cf6fb66120611e37600630bb697a7da874b57ffcd2fe2e864cad3b0b907d998572f4ca83ec0ac98158dcda7720f0a59be874d9c2c628e102

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2504-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-306-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-308-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-400-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-313-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-363-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-365-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2504-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4604-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4604-399-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4604-364-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4604-362-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4604-312-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4604-305-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4604-191-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4604-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4604-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download