Malware Analysis Report

2025-08-06 00:22

Sample ID 240607-s651yaaf2v
Target 68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe
SHA256 921f18bdb63225ae82a72100c354723db372981a997d85a5d48bfe3745573008
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

921f18bdb63225ae82a72100c354723db372981a997d85a5d48bfe3745573008

Threat Level: Shows suspicious behavior

The file 68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-07 15:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 15:45

Reported

2024-06-07 15:47

Platform

win7-20240221-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GHtIVaMIZkmPeVB.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\GHtIVaMIZkmPeVB.exe

C:\Users\Admin\AppData\Local\Temp\GHtIVaMIZkmPeVB.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2164-1-0x00000000009B0000-0x00000000009C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GHtIVaMIZkmPeVB.exe

MD5 a32a382b8a5a906e03a83b4f3e5b7a9b
SHA1 11e2bdd0798761f93cce363329996af6c17ed796
SHA256 75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346
SHA512 ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/2264-18-0x0000000000B20000-0x0000000000B38000-memory.dmp

memory/2164-15-0x00000000009B0000-0x00000000009C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GHtIVaMIZkmPeVB.exe

MD5 68958745157c27c2c7f914bb751ec53a
SHA1 c77fd69aff135daaa0c2b561ac2119c79d8a7bb5
SHA256 42a6dc753c4ca407dc10a88358c5510497a8e81f8a5a457a000f83645c6a4ff5
SHA512 e73600310e71103e0962bc807680173306034f9be89b865c1d798b523df5650728af7d0c26e5b38358b7a224b77d3399074cd72114d0e7b78244158e2662c6f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 15:45

Reported

2024-06-07 15:47

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\t9UEUPklcJjo8kj.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\t9UEUPklcJjo8kj.exe

C:\Users\Admin\AppData\Local\Temp\t9UEUPklcJjo8kj.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 138.179.15.23.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3024-0-0x0000000000530000-0x0000000000548000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\t9UEUPklcJjo8kj.exe

MD5 a32a382b8a5a906e03a83b4f3e5b7a9b
SHA1 11e2bdd0798761f93cce363329996af6c17ed796
SHA256 75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346
SHA512 ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

memory/3024-6-0x0000000000530000-0x0000000000548000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/4200-9-0x0000000000FC0000-0x0000000000FD8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 6cbfe0b650ba4d476d2e9444781b1acc
SHA1 8e75542c358d61423b9dc324f581962fcd11f72d
SHA256 4402afab9373554d94dca739c5bdf97cf835dc7645fd81c15cac4d5cae57592a
SHA512 26620fb4dbc19cfa7ec7a14b747c5b9a2fdb7c26e80ca13a17265a76f25d0a1611cb4c8b0994d7ab87eeea28dad5a80b0eacaed4468b5c51ad4e616de61a92d8

memory/4200-33-0x0000000000FC0000-0x0000000000FD8000-memory.dmp