Malware Analysis Report

2024-11-13 14:27

Sample ID 240614-c27e7swcmr
Target 9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe
SHA256 044a4e369e3c2921a8d71af64de9c13962b33767095006557fd86e4dd4d1579d
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

044a4e369e3c2921a8d71af64de9c13962b33767095006557fd86e4dd4d1579d

Threat Level: Shows suspicious behavior

The file 9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:35

Reported

2024-06-14 02:37

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6XuLVK9woDB8KNL.exe N/A
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\6XuLVK9woDB8KNL.exe

C:\Users\Admin\AppData\Local\Temp\6XuLVK9woDB8KNL.exe

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 app.csvhost.info udp

Files

\Users\Admin\AppData\Local\Temp\6XuLVK9woDB8KNL.exe

MD5 7b112b1fb864c90ec5b65eab21cb40b8
SHA1 e7b73361f722fc7cbb93ef98a8d26e34f4d49767
SHA256 751941b4e09898c31791efeb5f90fc7367c89831d4a98637ed505e40763e287b
SHA512 bf9cdeff39cc4fa48457c55ad02e3856b5b27998535aed801a469252f01e7676462332fa3f93877753e963d037472f615c1fc5fc2e996316621b4e0a180cb5f5

C:\Windows\svhost.exe

MD5 5e7c375139b7453abd0b91a8a220f8e5
SHA1 88a3d645fab0f4129c1e485c90b593ab60e469ae
SHA256 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA512 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

C:\Users\Admin\Downloads\ConnectSave.exe

MD5 3129a237c5edfc930d0daae0df5d66cb
SHA1 950b80bdb88b814a119de0770679053ca4053f56
SHA256 eef85e67158729049ebc0854e8beff374d4dc827583c56a8915ec62e6cb2ca6a
SHA512 d619f59a33631d013318e92ef226895ec8149af729e6219c0827f421b1e12551cb4eae8bd2a56bd960358df205eaf89b381a37fb6e8a7956599145c345b86637

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:35

Reported

2024-06-14 02:37

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AkvgfSlt85qi2qB.exe N/A
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ba42fd6e9a9e260d08d9f65570457d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\AkvgfSlt85qi2qB.exe

C:\Users\Admin\AppData\Local\Temp\AkvgfSlt85qi2qB.exe

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 198.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\AkvgfSlt85qi2qB.exe

MD5 7b112b1fb864c90ec5b65eab21cb40b8
SHA1 e7b73361f722fc7cbb93ef98a8d26e34f4d49767
SHA256 751941b4e09898c31791efeb5f90fc7367c89831d4a98637ed505e40763e287b
SHA512 bf9cdeff39cc4fa48457c55ad02e3856b5b27998535aed801a469252f01e7676462332fa3f93877753e963d037472f615c1fc5fc2e996316621b4e0a180cb5f5

C:\Windows\svhost.exe

MD5 5e7c375139b7453abd0b91a8a220f8e5
SHA1 88a3d645fab0f4129c1e485c90b593ab60e469ae
SHA256 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA512 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 c950c68ff4f08ef6f87adb4da1803721
SHA1 3263573a7977b73b94beae67df924037cee9b760
SHA256 b4806e516c701c906f0c7da0864a688e520179c6b4b744afb3072dab2f3a2fc4
SHA512 12fa1184b21169f4906aa86218fd494920a9cb504e5700a03e42afc51717fd4275e1b6691ba4a15d4eed8b3a2ff3e5c0ee041faedb033ac1307b90aeeae6df30