Analysis Overview
SHA256
550b1f2945443724adabc4ec789ea21f5647f3e13c3e3f9b397e7f584b49f053
Threat Level: Shows suspicious behavior
The file 5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 03:57
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 03:57
Reported
2024-06-13 04:00
Platform
win7-20240508-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2964 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 2964 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 2964 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 2964 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/2964-0-0x0000000001290000-0x00000000012A8000-memory.dmp
C:\Windows\CTS.exe
| MD5 | a6749b968461644db5cc0ecceffb224a |
| SHA1 | 2795aa37b8586986a34437081351cdd791749a90 |
| SHA256 | 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2 |
| SHA512 | 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4 |
memory/2964-9-0x0000000000EE0000-0x0000000000EF8000-memory.dmp
memory/2964-12-0x0000000001290000-0x00000000012A8000-memory.dmp
memory/1592-14-0x0000000000EE0000-0x0000000000EF8000-memory.dmp
memory/2964-8-0x0000000000EE0000-0x0000000000EF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bqE522VfA6SUHrO.exe
| MD5 | 883962fe8aa5028dc10dfd0a874c5aba |
| SHA1 | 80e9d57951532ef16db00a47556f4710c7cfb5bf |
| SHA256 | ad1615c0dd90d7b40260e5d29d471783da57487925cf29439e96feebc022f06d |
| SHA512 | 337bf96abaaa3499773b0f5034ffa46e8e2abd2ea7b81f4901ff35d88e7e4de8ad94e6d87ca12d301528ba4287597e02a3ab9ce74cba4e89d4f61c0d698d384d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 03:57
Reported
2024-06-13 04:00
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
96s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2668 wrote to memory of 4856 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 2668 wrote to memory of 4856 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 2668 wrote to memory of 4856 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/2668-0-0x0000000000820000-0x0000000000838000-memory.dmp
C:\Windows\CTS.exe
| MD5 | a6749b968461644db5cc0ecceffb224a |
| SHA1 | 2795aa37b8586986a34437081351cdd791749a90 |
| SHA256 | 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2 |
| SHA512 | 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4 |
memory/2668-8-0x0000000000820000-0x0000000000838000-memory.dmp
memory/4856-10-0x0000000000260000-0x0000000000278000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | aa0f17913cad97dfc3eb38640c962e4d |
| SHA1 | c5a8bd77ed1a6e3da83d0a09e1aea8b4b858cd3c |
| SHA256 | f784d45846d98a36faafb9dc635aa1d2254adb1aa43ce10a49c452907f0c9fb9 |
| SHA512 | 6b6b3437c2c398a3c3bd09e2fe16ba4daa2aa7cce1a83572aa8cbba74050fc76b9366d6546df5a5f31669bff4449bb5b737469828019f7eae1ff84c66f38754b |
C:\Users\Admin\AppData\Local\Temp\B3tvKEG37x8aRZx.exe
| MD5 | 68975f5f209b828361637fe2fab978cb |
| SHA1 | 0b49dc05df956241476708f76f405e51610ab6ac |
| SHA256 | b0a6e2b582f7cc5ad7358014c624a2763d2b2541fa030a2578260e54c36740f0 |
| SHA512 | a0b5102a449fa820e7af1d8455e1f5a09d4b87b630cdc808edaf1e07574035630976bcb1f94b49ae0dc56fb0aa41a17599e5f717b2a18000e0b983e8874b3f62 |
memory/4856-34-0x0000000000260000-0x0000000000278000-memory.dmp