Malware Analysis Report

2024-11-13 14:03

Sample ID 240604-acfj3sea5x
Target 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe
SHA256 d9a80ccf03a5c2a2cfc478cce22fcfb876757f909536f1711b9bcfcdb41baf35
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d9a80ccf03a5c2a2cfc478cce22fcfb876757f909536f1711b9bcfcdb41baf35

Threat Level: Shows suspicious behavior

The file 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:03

Reported

2024-06-04 00:06

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe N/A
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe

C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe

MD5 e97c622b03fb2a2598bf019fbbe29f2c
SHA1 32698bd1d3a0ff6cf441770d1b2b816285068d19
SHA256 5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160
SHA512 db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe

MD5 43adfd9e2cb64bfaaa1f7dde6b2d8db4
SHA1 64755e47beb78d60d62b2ce43133fd67d106fa69
SHA256 cfa38938cef31e9a3b72a854cfbe940f479479bbf836eebdde13d8931d9a2c73
SHA512 ed1ab3c86a93272d78a4c791c3616f41f1cfd60407e4382f26768180136139d6dcfa00dab45d270acb5c0d8578ed2f027a9d504a9503609f5a5c94475d02a4ca

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:03

Reported

2024-06-04 00:06

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe N/A
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe

C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe

MD5 e97c622b03fb2a2598bf019fbbe29f2c
SHA1 32698bd1d3a0ff6cf441770d1b2b816285068d19
SHA256 5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160
SHA512 db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 b248c7a7a9ffc2b4353db49aac4c391e
SHA1 322f9e0e3111eaa9b85b041d45d4cd4cab75172b
SHA256 ffe03f51696ce1793242ec5b305a64e3e81d529688bdbb853e0d1d2246dcb572
SHA512 82abf36513e5e469f5655998f7cd4013006191a602fefcb022db30633918005a8e2a914102033cfb7421cca5db13462fb93136879e0ce77fe71438ddcd1ab744