bf2d820dc3076afdcacc5cc4c079b10139224b0420fd24377cd528cd3a6533e8

General

Target

22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
Size

481KB
MD5

22941c1300951042edc5f947a6514b10
SHA1

9adc18c87d4ce89e4e93af8d3d48903aa386137e
SHA256

bf2d820dc3076afdcacc5cc4c079b10139224b0420fd24377cd528cd3a6533e8
SHA512

701a3b59fa13b0c68663419eaf23dfee4979d1e445efa54926bdbfa469c1c944086f53907868a473b5eb8add330aab5c4b0310758ab5579b2994987bcb51fd83
SSDEEP

6144:/rTfUHeeSKOS9ccFKk3Y9t9YZtEg2rrT1Jzej5WGWsnjg231JhGtICCwi+:/n8yN0Mr8Zt52HT1RelWGWsnP1GuC/7

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe

Executes dropped EXE 4 IoCs

pid	Process
1604	Isass.exe
3452	Isass.exe
4912	Isass.exe
4496	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4724	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
4724	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
1604	Isass.exe
1604	Isass.exe
3452	Isass.exe
3452	Isass.exe
3452	Isass.exe
3452	Isass.exe
3452	Isass.exe
3452	Isass.exe
3300	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
3300	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
4912	Isass.exe
4912	Isass.exe
4912	Isass.exe
4912	Isass.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1604	4724	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe	81
PID 4724 wrote to memory of 1604	4724	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe	81
PID 4724 wrote to memory of 1604	4724	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe	81
PID 4724 wrote to memory of 3452	4724	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe	82
PID 4724 wrote to memory of 3452	4724	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe	82
PID 4724 wrote to memory of 3452	4724	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe	82
PID 3452 wrote to memory of 3300	3452	Isass.exe	83
PID 3452 wrote to memory of 3300	3452	Isass.exe	83
PID 3452 wrote to memory of 3300	3452	Isass.exe	83
PID 3300 wrote to memory of 4912	3300	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe	84
PID 3300 wrote to memory of 4912	3300	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe	84
PID 3300 wrote to memory of 4912	3300	22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe	84
PID 4912 wrote to memory of 4496	4912	Isass.exe	85
PID 4912 wrote to memory of 4496	4912	Isass.exe	85

C:\Users\Admin\AppData\Local\Temp\22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1604
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe"
        5⤵
        Executes dropped EXE
        
        PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
700KB

MD5
764d954622dbcf2f0bb48d8f33ea623c

SHA1
d716634c0cf0f2998be759cec7c8174b05780f3b

SHA256
0371a53d6221829e526c19ed814dd2609f2e9611e294fa95800e869af2672de1

SHA512
0429cfdfc271e44b2ce5a88d5d12a7a520d456c7af595172ec19f8e0f13b3ab483d119b4fc482bac97ac07454c802a5e88b22140782e7ea84109134ec2406859

Download Submit
C:\Users\Admin\AppData\Local\Temp\22941c1300951042edc5f947a6514b10_NeikiAnalytics.exe

Filesize
261KB

MD5
9dce6a120d094e5c925b967c4bb36277

SHA1
1ab60840e8d8ed14619fab2d1559f989f01f01a9

SHA256
3052784f3683c2bbe95f59560eb311e75f1eac7aa5476a91bbd9fe4d2aef880a

SHA512
20a7a4b8ecb1262ed730c8299ad0ada2ad93327f0886e5fdefc89564ff7510595ec53ac5aa88747e0548315c3037125d83756e3ae4d9a813cc553c12991c94df

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
216KB

MD5
268c090ca6978a4e6b7cf7036c0bb5ec

SHA1
3f5a6c6aa9d76523948908bab626371c21e803f8

SHA256
a449755274373ffb475741fb32f7da5d76e60d55c3974c8096b24a34b79803db

SHA512
3a1a200adac16d90adb4502d4472b592716be335cbd385e0d3e34334eccf234588c7f752296ae0e1f403841aa3382bc53bc9a4d9648574df11a7c9b0613bcb91

Download Submit
memory/1604-55-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-30-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-78-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-67-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-8-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/1604-66-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-7-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-47-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-27-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-79-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-31-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-54-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-33-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-48-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-88-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-38-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1604-39-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3300-14-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3300-34-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3452-32-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3452-10-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3452-11-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4724-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4724-4-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4912-26-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4912-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads