Malware Analysis Report

2024-11-30 04:23

Sample ID 240613-aym62sxdjf
Target 50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe
SHA256 2dc7b2219a9da2057cab31037efaad6065de5eedb3156edecbff32e1923fa3ce
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2dc7b2219a9da2057cab31037efaad6065de5eedb3156edecbff32e1923fa3ce

Threat Level: Shows suspicious behavior

The file 50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:37

Reported

2024-06-13 00:39

Platform

win7-20240611-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Users\Admin\AppData\Local\Temp\XGuUIQPOzrXxSLz.exe

MD5 a02bf8cbe7eca07722d95d1259a327a6
SHA1 eea4a109a78eaed5105514c9be75385b0c595638
SHA256 c9c21ac5f3c1ca6a1aa4142f46afb5da05c0c6a79fae6be9d0a9bbaa14bc89c5
SHA512 015feabaf6d463362b182426ec5bca220c77f63f42d057463b206c726167d06987cb17a58da7f86b2f98ee63b5cb443fa9d8476197400a43bb704beae2147353

C:\Users\Admin\AppData\Local\Temp\3312228083\zmstage.exe.orig

MD5 e7b5b8b9b5cb2903a96dc5e5597921b3
SHA1 aacca515adceeebc6ef084af3b759e6ffd1cc794
SHA256 85f83606dc5d373b211c2fe18f15ab154425b105311ba2aaab7da941ccae9ae1
SHA512 ac7d1817b3ed8ef3fcee994c79f545d423c7db29364af4989de700568133308d81cd76f9a540017db3ca47530f0332be35fbb39e00614853abcd7d89c5a93844

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:37

Reported

2024-06-13 00:40

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\50a9ad5cc8e41ea8a137f54b57350400_NeikiAnalytics.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 41789d1a06a11072371ac27a3b8ff905
SHA1 88bfa4cf3892f87b4ce5f25a40ab0e0ac2d7a258
SHA256 feb3e3ba83ebeecac29794535311e83fabb1fccafd1af909de0167d11e32ccfb
SHA512 223c8b65a731061c6c8d12dac9b9d4f87c3f691db86fe50b854a084e7477036b33d58ed3cb498eb6e8e029bcd4fa84f8e8d836a5ce95a2a7b3f37a47c3bcd072

C:\Users\Admin\AppData\Local\Temp\xY8FFBK7iN8Axb0.exe

MD5 7d11f8f09e70c1a8cd7df5ed8282c670
SHA1 b54e4a6e01cfcb14096ed9136c51f8c1b98af255
SHA256 8b1178c821a146967e804ec3ffe782d5e73860ea4489630906b96e00fe3b3909
SHA512 6a0a4d61babf4597599f96501f4575d00430bf39d17c1b4afe694cf4910a39335908b086e046b4ca2a8bcc984ccbda5a4ada806b434a72abccf32243face3ff1