cc2cf24591d6595aa4b3d05a14ca4133a37dbe6dbd3e64ba36b11c3cbb2ae979

General

Target

e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
Size

502KB
MD5

e81a2def5cab4fcba77edc97d88fbd40
SHA1

d0824cb0f61532a8f44a7373d9c7d8ed556e7533
SHA256

cc2cf24591d6595aa4b3d05a14ca4133a37dbe6dbd3e64ba36b11c3cbb2ae979
SHA512

8c30c8ba57ecde10786bcbe7c27459d56ffc17bb2536e1f415737d2d13a7ac287b9e9f26e497b8dad12f0c010ff8127bcbb4ce27c538516a632516b41f23f107
SSDEEP

12288:6vnJeZtAi+4jg0pssGz/SAUaZE18fyMjIVyIrtBADJ9:WJitFy0a4GE64yxX

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Executes dropped EXE 4 IoCs

pid	Process
2492	SearchHelper.exe
3068	com3.exe
2940	com3.exe
1720	SearchHelper.exe

Loads dropped DLL 7 IoCs

pid	Process
2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe"	com3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1020	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
2492	SearchHelper.exe
3068	com3.exe
2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
2940	com3.exe
1720	SearchHelper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2492	SearchHelper.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2492	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2492	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2492	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2492	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 3068	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 3068	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 3068	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 3068	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 2568	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	30
PID 2192 wrote to memory of 2568	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	30
PID 2192 wrote to memory of 2568	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	30
PID 2192 wrote to memory of 2568	2192	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	30
PID 2568 wrote to memory of 1720	2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	31
PID 2568 wrote to memory of 1720	2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	31
PID 2568 wrote to memory of 1720	2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	31
PID 2568 wrote to memory of 1720	2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	31
PID 2568 wrote to memory of 2940	2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	32
PID 2568 wrote to memory of 2940	2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	32
PID 2568 wrote to memory of 2940	2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	32
PID 2568 wrote to memory of 2940	2568	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	32
PID 3068 wrote to memory of 1020	3068	com3.exe	35
PID 3068 wrote to memory of 1020	3068	com3.exe	35
PID 3068 wrote to memory of 1020	3068	com3.exe	35
PID 3068 wrote to memory of 1020	3068	com3.exe	35

C:\Users\Admin\AppData\Local\Temp\e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1020
- C:\Users\Admin\AppData\Local\Temp\e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe" silent pause
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
505KB

MD5
e2f6969f3e0b1a80919b896ce98f0aa0

SHA1
e9464f61da836ca7cdf3f3b4b92a237b36156e2d

SHA256
684bba26779fafee27cfc505f15265794b8951d4817422c1dc7cc01cc6b8a9f7

SHA512
95f375c95c6c2e1edfa60178212dbcb0db7d4a95c822a0dbd87083654f0b009ada2f2c586432471bd9bdd5de4e0875ea1606bd5cc7c8416394846c730a40619e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
505KB

MD5
d982390bcccf24351ec868c931111445

SHA1
3e3b99121addf72b762ecc1dea25e8fb42ab7870

SHA256
52cd019e6fc6a8a74543f1a02a7398fe04ec8c5f9ef43e70a616b31fdc9990d8

SHA512
520126819a4b4b33d2d0e281c3247a3ea1a67f515148b5d6bf7fe6c6bc82c69556a981e205f74873dea2c41befeca232b46258d8b68fb8cbce684755eff3f36f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
42ed55050cb56e0566661118445b53d6

SHA1
6c216b71db0bda7d9215954ae677da941489ffa1

SHA256
569370a39ed313542dc13a95e8d7397737f733c1857db625feeaf84154908a39

SHA512
bf382c0410ff0173df6eba31919a32cbdb47bd1182e9043bae01deeeb2f5537e1c860a1564b94faf4a783c9f5adf457b4df873f890d043eaba9ed7da13852d6d

Download Submit
memory/1720-89-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1720-101-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2192-58-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2192-22-0x00000000031B0000-0x0000000003219000-memory.dmp

Filesize
420KB

Download
memory/2192-16-0x00000000031B0000-0x0000000003219000-memory.dmp

Filesize
420KB

Download
memory/2192-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2192-57-0x00000000037A0000-0x0000000003809000-memory.dmp

Filesize
420KB

Download
memory/2192-1-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/2492-23-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2492-87-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2568-88-0x0000000002410000-0x0000000002479000-memory.dmp

Filesize
420KB

Download
memory/2568-59-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2568-108-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2568-112-0x0000000002410000-0x0000000002479000-memory.dmp

Filesize
420KB

Download
memory/2568-113-0x0000000002410000-0x0000000002479000-memory.dmp

Filesize
420KB

Download
memory/2940-86-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3068-44-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3068-107-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads