Malware Analysis Report

2024-11-30 06:00

Sample ID 240614-f9pf5s1aqm
Target a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe
SHA256 e3a63a884b06924123024abfcf89a192b5e57cafd5b343729bc93da7a0ba7380
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e3a63a884b06924123024abfcf89a192b5e57cafd5b343729bc93da7a0ba7380

Threat Level: Shows suspicious behavior

The file a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:34

Reported

2024-06-14 05:37

Platform

win7-20240611-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2176-0-0x0000000000090000-0x00000000000A8000-memory.dmp

memory/2176-5-0x00000000000B0000-0x00000000000C8000-memory.dmp

memory/2176-9-0x0000000000090000-0x00000000000A8000-memory.dmp

memory/2176-11-0x00000000000B0000-0x00000000000C8000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

C:\Users\Admin\AppData\Local\Temp\Sqc9gdYl9lVdciy.exe

MD5 bde93cf31bcf96753ad40b1082b69e58
SHA1 533e6e7e08366751451685341c6b3695cec39d06
SHA256 52315d57a34a4de6678adad2aa67b4abad78bebe1b5d7c70d174e42cef4ae105
SHA512 2ded6c2fd7fbf6a18cab77d2445ae0930666111ff976b0094d6d1d0dd4672d08206cdcb01007a4d9b45aafb7800f7576e82a2bf2948ad2221fdf289fe93117d9

memory/2556-17-0x0000000001330000-0x0000000001348000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:34

Reported

2024-06-14 05:37

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a623279a963891a1581985d9fa7500d0_NeikiAnalytics.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/216-0-0x0000000000840000-0x0000000000858000-memory.dmp

memory/216-7-0x0000000000840000-0x0000000000858000-memory.dmp

C:\Windows\CTS.exe

MD5 a6749b968461644db5cc0ecceffb224a
SHA1 2795aa37b8586986a34437081351cdd791749a90
SHA256 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA512 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

memory/1356-10-0x0000000000470000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a684d5923b76d55b4f3eb362f96b345b
SHA1 8530aac2c8b8a9a001c7b02a54a67976405a7e11
SHA256 512f4d1c0eae5eb09f05047fb7d081b2c428d900011feeb410cebbf6ca0597b7
SHA512 47c2e12e7f6ccc2f45eda7af72fa046da3809ac41e0afa2e14b5b2447fe7c16903b3b5a006eae6c72d56418e474da527bcd990629cd455694805f8afbfdbfd91

C:\Users\Admin\AppData\Local\Temp\mX9xvhqNKC7o1BN.exe

MD5 bde9c60d8ca246646949fe7caedb69a7
SHA1 4db64895e58f6b377b4b6d397fad9f0c75ce8bfb
SHA256 a27aa17ac8ed749e3a5cf2e70d7185d86ddb28a4ffd3c087c11ea3bd78f5f488
SHA512 282530a382436ea604745cc98aaf499fd79c5c96618dba6707ad2e5ba17b247baba28ff9fad9dc266b1fb1beb43ebbd5433ab3a462d1b79f4f5997808d84a781