Malware Analysis Report

2025-06-15 20:05

Sample ID 240515-mz23taeb93
Target cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics
SHA256 56d4ccb45b58f1842ce637557ff5723fde96f45969074250c201a2d14dcbe604
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

56d4ccb45b58f1842ce637557ff5723fde96f45969074250c201a2d14dcbe604

Threat Level: Shows suspicious behavior

The file cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 10:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 10:54

Reported

2024-05-15 10:57

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Temp\U9Mre5fmBYcLICU.exe

MD5 f91ab761a32e45af84a2c64eca960c86
SHA1 d1dae13766a32f5b5aee96fe7893120f5c215cb6
SHA256 f00e32dfde2a3ccac244fbfd1b48790e7bda2a9f8d86497688a10e7f6dea153a
SHA512 feb60cc6252859e01c4ab3c7b95feaa21eeb6a9ce24a536ca7d1f3b409021fcf874f872a077e09c452d90ba0a0f2306f74aea505bba9b77d98922e0f5156a3bf

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 10:54

Reported

2024-05-15 10:57

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cb912c476204e3ef21c9eda2fc6214a0_NeikiAnalytics.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 71661453465c3cc82cfb0ad163dd48e3
SHA1 401329f442a1a73a805a00b037cede67baf3c228
SHA256 acfabbea2ad41a4decf2172ed2e2543f84485ea9fb8979997d553153c78927ff
SHA512 be190f0f85aa36102f9cea00e9707e60e8569b4b35b6c0b07fc7d2cddd7383ea9e63263c547c3bdf77c01ab080dafe6354200ae9b817519176dd25e9e961c1e0

C:\Users\Admin\AppData\Local\Temp\ON4tOM5KkFgvRNj.exe

MD5 3f6d9b9f549dea6f9a81acff6a27d7f7
SHA1 8ac7059d8219531d6ba350d71ea4b368c80fbcba
SHA256 4ab0e0c80a92ac0b4fb3c79b8c91d427166750c657f9d7680b967e9ce1f8b80b
SHA512 068da945041ff399a2a7e8adeaff405e2ecc5fa5a52a0eb369d6bfb901414c02752a1f5c198d2b3c372803fb26ee5d9cf0a8fc7cbea8d18382f89c7929713589