Analysis Overview
SHA256
e3a63a884b06924123024abfcf89a192b5e57cafd5b343729bc93da7a0ba7380
Threat Level: Shows suspicious behavior
The file a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 05:34
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 05:34
Reported
2024-06-14 05:37
Platform
win7-20240611-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 2176 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 2176 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 2176 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/2176-0-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/2176-5-0x00000000000B0000-0x00000000000C8000-memory.dmp
memory/2176-9-0x0000000000090000-0x00000000000A8000-memory.dmp
memory/2176-11-0x00000000000B0000-0x00000000000C8000-memory.dmp
C:\Windows\CTS.exe
| MD5 | a6749b968461644db5cc0ecceffb224a |
| SHA1 | 2795aa37b8586986a34437081351cdd791749a90 |
| SHA256 | 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2 |
| SHA512 | 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4 |
C:\Users\Admin\AppData\Local\Temp\Sqc9gdYl9lVdciy.exe
| MD5 | bde93cf31bcf96753ad40b1082b69e58 |
| SHA1 | 533e6e7e08366751451685341c6b3695cec39d06 |
| SHA256 | 52315d57a34a4de6678adad2aa67b4abad78bebe1b5d7c70d174e42cef4ae105 |
| SHA512 | 2ded6c2fd7fbf6a18cab77d2445ae0930666111ff976b0094d6d1d0dd4672d08206cdcb01007a4d9b45aafb7800f7576e82a2bf2948ad2221fdf289fe93117d9 |
memory/2556-17-0x0000000001330000-0x0000000001348000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 05:34
Reported
2024-06-14 05:37
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
51s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 216 wrote to memory of 1356 | N/A | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 216 wrote to memory of 1356 | N/A | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
| PID 216 wrote to memory of 1356 | N/A | C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/216-0-0x0000000000840000-0x0000000000858000-memory.dmp
memory/216-7-0x0000000000840000-0x0000000000858000-memory.dmp
C:\Windows\CTS.exe
| MD5 | a6749b968461644db5cc0ecceffb224a |
| SHA1 | 2795aa37b8586986a34437081351cdd791749a90 |
| SHA256 | 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2 |
| SHA512 | 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4 |
memory/1356-10-0x0000000000470000-0x0000000000488000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | a684d5923b76d55b4f3eb362f96b345b |
| SHA1 | 8530aac2c8b8a9a001c7b02a54a67976405a7e11 |
| SHA256 | 512f4d1c0eae5eb09f05047fb7d081b2c428d900011feeb410cebbf6ca0597b7 |
| SHA512 | 47c2e12e7f6ccc2f45eda7af72fa046da3809ac41e0afa2e14b5b2447fe7c16903b3b5a006eae6c72d56418e474da527bcd990629cd455694805f8afbfdbfd91 |
C:\Users\Admin\AppData\Local\Temp\mX9xvhqNKC7o1BN.exe
| MD5 | bde9c60d8ca246646949fe7caedb69a7 |
| SHA1 | 4db64895e58f6b377b4b6d397fad9f0c75ce8bfb |
| SHA256 | a27aa17ac8ed749e3a5cf2e70d7185d86ddb28a4ffd3c087c11ea3bd78f5f488 |
| SHA512 | 282530a382436ea604745cc98aaf499fd79c5c96618dba6707ad2e5ba17b247baba28ff9fad9dc266b1fb1beb43ebbd5433ab3a462d1b79f4f5997808d84a781 |