Malware Analysis Report

2024-11-13 14:02

Sample ID 240613-gckx5awcqe
Target 62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe
SHA256 4215c7c3bb6b1353c334a5c69e5b7f6330b7de11751dc14918b1e297c22092bd
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4215c7c3bb6b1353c334a5c69e5b7f6330b7de11751dc14918b1e297c22092bd

Threat Level: Shows suspicious behavior

The file 62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:39

Reported

2024-06-13 05:42

Platform

win7-20240419-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlLDU9uu1RFCb8K.exe N/A
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\BlLDU9uu1RFCb8K.exe

C:\Users\Admin\AppData\Local\Temp\BlLDU9uu1RFCb8K.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1312-0-0x0000000000310000-0x0000000000328000-memory.dmp

\Users\Admin\AppData\Local\Temp\BlLDU9uu1RFCb8K.exe

MD5 f8a38fd27da720881c0af1ac99b8c1ad
SHA1 2ed31938119e2ebdeb0f5539c985e9965aef72d7
SHA256 b2e32b3fa44b3a9a8fdfa906627355f6f48b4821929f9bce5ded2d07894361d4
SHA512 aafa05bc5bd68687b998fe4d9a619caecc65d14f317af7a05ac0ecab7e231891e8719029245dc84eddce20bdd4c0cc6f4ffafdf8200227746b28cc6628564495

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/1312-10-0x0000000000310000-0x0000000000328000-memory.dmp

memory/2096-14-0x0000000000FA0000-0x0000000000FB8000-memory.dmp

memory/2096-19-0x0000000000FA0000-0x0000000000FB8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:39

Reported

2024-06-13 05:42

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nr2Gj9acOSz8zKp.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\62c115abc2445314fdeb214a829dde30_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\Nr2Gj9acOSz8zKp.exe

C:\Users\Admin\AppData\Local\Temp\Nr2Gj9acOSz8zKp.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

memory/3016-0-0x00000000004C0000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nr2Gj9acOSz8zKp.exe

MD5 f8a38fd27da720881c0af1ac99b8c1ad
SHA1 2ed31938119e2ebdeb0f5539c985e9965aef72d7
SHA256 b2e32b3fa44b3a9a8fdfa906627355f6f48b4821929f9bce5ded2d07894361d4
SHA512 aafa05bc5bd68687b998fe4d9a619caecc65d14f317af7a05ac0ecab7e231891e8719029245dc84eddce20bdd4c0cc6f4ffafdf8200227746b28cc6628564495

memory/4908-9-0x00000000009B0000-0x00000000009C8000-memory.dmp

memory/3016-11-0x00000000004C0000-0x00000000004D8000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 0b6e0a58ee9082a382ecc60bbce6c7ad
SHA1 06409f6f530d8901925b5d84d10dd60ae7fe5fc4
SHA256 8f5b54b61297f2c7fb18af6a5d6abbc9b7be327410413710a847b54c30f0d9a1
SHA512 2766a310b6920ce92527805680cfdb8c00e450298eb83b54586d43d3f76ac4c9b3af8784c1f59c389752627a07aa89d4b3aea42a4b685213ecda9573a43e4afa