Malware Analysis Report

2024-08-06 12:42

Sample ID 240526-eh3zsaeb2x
Target 5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe
SHA256 ac82016516585cfb76c36a0808d84b263119b148f6a7aa7ab9d221d616954025
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac82016516585cfb76c36a0808d84b263119b148f6a7aa7ab9d221d616954025

Threat Level: Known bad

The file 5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium family

Stealerium

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:57

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:57

Reported

2024-05-26 03:59

Platform

win7-20240508-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe"

Signatures

Stealerium

stealer stealerium

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2904 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2904 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2904 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2904 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2904 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2904 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2904 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2904 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2904 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2904 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2904 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4062.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 1632

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp

Files

memory/1632-0-0x000000007495E000-0x000000007495F000-memory.dmp

memory/1632-1-0x00000000000A0000-0x0000000000232000-memory.dmp

memory/1632-2-0x0000000074950000-0x000000007503E000-memory.dmp

memory/1632-6-0x0000000004440000-0x00000000044D2000-memory.dmp

memory/1632-7-0x0000000001FB0000-0x0000000001FD6000-memory.dmp

memory/1632-8-0x0000000000A30000-0x0000000000A38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3F92.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3FC3.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\tmp4062.tmp.bat

MD5 eabeddffe7aab0b4538303a4ca0c831a
SHA1 3df0727455ff18a75b24e3678bfc37496567de66
SHA256 4a8215eb090f23f7974479c60387cf0a29fcf57b479142055faa023a70b90489
SHA512 e7bb3368f22b5d6a1efbbc8c637706168cd345e305ffd3ffdf4dacc17cbedc0ba08147ed7e5e9bbcfe8fd0e9ae2f40b843e06ac7735f6fde7d8ef431dc36feee

memory/1632-47-0x0000000074950000-0x000000007503E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:57

Reported

2024-05-26 03:59

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3956 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3956 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3956 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3956 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3956 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3956 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3956 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3956 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp75DC.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 3032

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/3032-0-0x000000007532E000-0x000000007532F000-memory.dmp

memory/3032-1-0x0000000000420000-0x00000000005B2000-memory.dmp

memory/3032-2-0x0000000004F10000-0x0000000004F76000-memory.dmp

memory/3032-3-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/3032-7-0x0000000005490000-0x0000000005522000-memory.dmp

memory/3032-8-0x0000000005520000-0x0000000005546000-memory.dmp

memory/3032-9-0x0000000005550000-0x0000000005558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp75DC.tmp.bat

MD5 9dab782a4cbec9d68f4e2e4bbff75b32
SHA1 0c4c19f17bcd21bb534ffd97ba392d2306c7d690
SHA256 fedc1a41154d4bf3bcea2b79e929ed445bd341d543796e9d4157748134a053dd
SHA512 1ebe2156c4e565c6deeb8a88644015b7d319f7178e353f2f8d67a1d43a16c50c45fcbb024f8bf4f444108cae33fa29349d1f0b30f782d92ffdf5be70f9f32068

memory/3032-14-0x0000000075320000-0x0000000075AD0000-memory.dmp