Malware Analysis Report

2024-11-15 06:33

Sample ID 240614-dtewnatbkb
Target 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe
SHA256 113065238b001d3557ae25ec83f30bc06460569124c3bcb16f266000f0211430
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

113065238b001d3557ae25ec83f30bc06460569124c3bcb16f266000f0211430

Threat Level: Shows suspicious behavior

The file 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:17

Reported

2024-06-14 03:20

Platform

win7-20240508-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4sGHlORDYV5JWuM.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\4sGHlORDYV5JWuM.exe

C:\Users\Admin\AppData\Local\Temp\4sGHlORDYV5JWuM.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1780-0-0x0000000000B60000-0x0000000000B78000-memory.dmp

\Users\Admin\AppData\Local\Temp\4sGHlORDYV5JWuM.exe

MD5 2fdb371d45181dff59577110ba1064e2
SHA1 42a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA256 80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA512 52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

memory/2068-13-0x00000000010D0000-0x00000000010E8000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/1780-11-0x0000000000B60000-0x0000000000B78000-memory.dmp

memory/2088-16-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

memory/2088-18-0x0000000000290000-0x00000000002B8000-memory.dmp

memory/2068-19-0x00000000010D0000-0x00000000010E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:17

Reported

2024-06-14 03:20

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKx90daurQo8y5Q.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\IKx90daurQo8y5Q.exe

C:\Users\Admin\AppData\Local\Temp\IKx90daurQo8y5Q.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2560-0-0x00000000008F0000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IKx90daurQo8y5Q.exe

MD5 2fdb371d45181dff59577110ba1064e2
SHA1 42a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA256 80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA512 52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/1336-7-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

memory/2560-10-0x00000000008F0000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 6cef3f9e1adc56af67ee6f8944ea22f9
SHA1 75dae680c27f60d1c9422e1a26b16ae309095079
SHA256 8bb17db6597fb94cbcf37fc8495b369bb21f3f8a0446a8a60d0044fe656dc65a
SHA512 1609a8237958e7ecfc411e1c4f6f92834f8b8bd6051d8ef6dab86abc2775f3753583724ccd6b7809bd333ffa8e6ca353c198a4c5c6ad5313d724cc56bee04c9b

memory/4912-22-0x0000000000930000-0x0000000000958000-memory.dmp

memory/4912-24-0x00007FFB83F33000-0x00007FFB83F35000-memory.dmp

memory/4912-31-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

memory/1336-36-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

memory/4912-38-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp