Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-eh7b7sxckm
Target 5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe
SHA256 550b1f2945443724adabc4ec789ea21f5647f3e13c3e3f9b397e7f584b49f053
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

550b1f2945443724adabc4ec789ea21f5647f3e13c3e3f9b397e7f584b49f053

Threat Level: Shows suspicious behavior

The file 5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:57

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:57

Reported

2024-06-13 04:00

Platform

win7-20240508-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2964-0-0x0000000001290000-0x00000000012A8000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/2964-9-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

memory/2964-12-0x0000000001290000-0x00000000012A8000-memory.dmp

memory/1592-14-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

memory/2964-8-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bqE522VfA6SUHrO.exe

MD5 883962fe8aa5028dc10dfd0a874c5aba
SHA1 80e9d57951532ef16db00a47556f4710c7cfb5bf
SHA256 ad1615c0dd90d7b40260e5d29d471783da57487925cf29439e96feebc022f06d
SHA512 337bf96abaaa3499773b0f5034ffa46e8e2abd2ea7b81f4901ff35d88e7e4de8ad94e6d87ca12d301528ba4287597e02a3ab9ce74cba4e89d4f61c0d698d384d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:57

Reported

2024-06-13 04:00

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5c8697b1ced337469351606365af65f0_NeikiAnalytics.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

memory/2668-0-0x0000000000820000-0x0000000000838000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/2668-8-0x0000000000820000-0x0000000000838000-memory.dmp

memory/4856-10-0x0000000000260000-0x0000000000278000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 aa0f17913cad97dfc3eb38640c962e4d
SHA1 c5a8bd77ed1a6e3da83d0a09e1aea8b4b858cd3c
SHA256 f784d45846d98a36faafb9dc635aa1d2254adb1aa43ce10a49c452907f0c9fb9
SHA512 6b6b3437c2c398a3c3bd09e2fe16ba4daa2aa7cce1a83572aa8cbba74050fc76b9366d6546df5a5f31669bff4449bb5b737469828019f7eae1ff84c66f38754b

C:\Users\Admin\AppData\Local\Temp\B3tvKEG37x8aRZx.exe

MD5 68975f5f209b828361637fe2fab978cb
SHA1 0b49dc05df956241476708f76f405e51610ab6ac
SHA256 b0a6e2b582f7cc5ad7358014c624a2763d2b2541fa030a2578260e54c36740f0
SHA512 a0b5102a449fa820e7af1d8455e1f5a09d4b87b630cdc808edaf1e07574035630976bcb1f94b49ae0dc56fb0aa41a17599e5f717b2a18000e0b983e8874b3f62

memory/4856-34-0x0000000000260000-0x0000000000278000-memory.dmp