ff599d9dd5b2a31e734391ef0fc4316ef781768b5c653e9380d7118595995103

General

Target

9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
Size

387KB
MD5

9ea889233129a72fbe429afd3c821d60
SHA1

382cba08a3b7fbe4a338ab81de551c51807cca37
SHA256

ff599d9dd5b2a31e734391ef0fc4316ef781768b5c653e9380d7118595995103
SHA512

96411be9114ccad76a390bf1df9bbde9d6b11c60b415f8078f7e9fdb54afce6bb4cbe4223f738a8a79c4c323f64a4969cef448f839d0c1a921d9703fab712f79
SSDEEP

6144:/rTfUHeeSKOS9ccFKk3Y9t9YZZ44omkAseOudcDiQuAB:/n8yN0Mr8ZZ4WxOccmQus

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 5 IoCs

pid	Process
4256	Isass.exe
1908	Isass.exe
552	Isass.exe
1436	Isass.exe
2352	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
960	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
960	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
4256	Isass.exe
4256	Isass.exe
1908	Isass.exe
1908	Isass.exe
1908	Isass.exe
1908	Isass.exe
1908	Isass.exe
1908	Isass.exe
4828	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
4828	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
552	Isass.exe
552	Isass.exe
552	Isass.exe
552	Isass.exe
552	Isass.exe
552	Isass.exe
1136	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
1136	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
1436	Isass.exe
1436	Isass.exe
1436	Isass.exe
1436	Isass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 4256	960	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	83
PID 960 wrote to memory of 4256	960	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	83
PID 960 wrote to memory of 4256	960	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	83
PID 960 wrote to memory of 1908	960	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	84
PID 960 wrote to memory of 1908	960	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	84
PID 960 wrote to memory of 1908	960	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	84
PID 1908 wrote to memory of 4828	1908	Isass.exe	85
PID 1908 wrote to memory of 4828	1908	Isass.exe	85
PID 1908 wrote to memory of 4828	1908	Isass.exe	85
PID 4828 wrote to memory of 552	4828	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	86
PID 4828 wrote to memory of 552	4828	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	86
PID 4828 wrote to memory of 552	4828	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	86
PID 552 wrote to memory of 1136	552	Isass.exe	87
PID 552 wrote to memory of 1136	552	Isass.exe	87
PID 552 wrote to memory of 1136	552	Isass.exe	87
PID 1136 wrote to memory of 1436	1136	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	88
PID 1136 wrote to memory of 1436	1136	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	88
PID 1136 wrote to memory of 1436	1136	9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe	88
PID 1436 wrote to memory of 2352	1436	Isass.exe	89
PID 1436 wrote to memory of 2352	1436	Isass.exe	89

C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1136
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe"
        7⤵
        Executes dropped EXE
        
        PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
728KB

MD5
4a284f9c35be65213cfd76a00275eb0d

SHA1
87b692f57c0e3d6d654321a3f499c34f251e855e

SHA256
7371ed3273a5fd832b0cd96a4d37ec00e7bbebcbfdaaeb856a4a4f73450c5ae7

SHA512
3c65d7c8a627068935dba38a8ae046fe836096808787214335bc10466f8d6bec6a2da0add04d8594ee6a5733f47291433b009fb8ac4e5023a08a2672d05ddec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ea889233129a72fbe429afd3c821d60_NeikiAnalytics.exe

Filesize
140KB

MD5
0d0b992d2d4b7619f49ee0458d3469b1

SHA1
5d9835b408a231902654d516b48843890f4130e5

SHA256
55c3f3f02b48a1e69d8b58d195c53f2d604acd890d09d7310272dcd289cf2d94

SHA512
8435b079d408689fabb3d8713c2d4b86f85f1b9bc4bc79427ee0ae069fafd23a703d71d481a1515bb98a31b90171a75a97c1ec6a9df63170a4961940e04494b7

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
216KB

MD5
e61335365196601dda57a87c5924f007

SHA1
d76360a431c23f593ad6aa6bdfe4b006587d5630

SHA256
db98d96b31889d67315b5004e6455599f1b45a85b84e00ffb9f607c838e277bc

SHA512
c1302a4c36de22d4067da97947a32e0140290bf123efeaad3353f506b1216ff110283f62c864a1b4de87a453fde96d5bbe94dbcfa9a45c2b382bb047a8d13f7b

Download Submit
memory/552-15-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/552-18-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/960-4-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/960-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1136-20-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1436-31-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1908-8-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1908-11-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2352-33-0x00000000005B0000-0x00000000005D8000-memory.dmp

Filesize
160KB

Download
memory/4256-45-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-5-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-93-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-35-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-36-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-39-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-40-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-10-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download
memory/4256-44-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-84-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-53-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-54-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-60-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-61-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-68-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-72-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4256-83-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4828-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4828-12-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads