cc2cf24591d6595aa4b3d05a14ca4133a37dbe6dbd3e64ba36b11c3cbb2ae979

General

Target

e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
Size

502KB
MD5

e81a2def5cab4fcba77edc97d88fbd40
SHA1

d0824cb0f61532a8f44a7373d9c7d8ed556e7533
SHA256

cc2cf24591d6595aa4b3d05a14ca4133a37dbe6dbd3e64ba36b11c3cbb2ae979
SHA512

8c30c8ba57ecde10786bcbe7c27459d56ffc17bb2536e1f415737d2d13a7ac287b9e9f26e497b8dad12f0c010ff8127bcbb4ce27c538516a632516b41f23f107
SSDEEP

12288:6vnJeZtAi+4jg0pssGz/SAUaZE18fyMjIVyIrtBADJ9:WJitFy0a4GE64yxX

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	com3.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Executes dropped EXE 4 IoCs

pid	Process
4648	SearchHelper.exe
1536	com3.exe
3412	SearchHelper.exe
1240	com3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe"	com3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3868	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
4648	SearchHelper.exe
4648	SearchHelper.exe
1536	com3.exe
1536	com3.exe
3400	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
3400	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
1240	com3.exe
1240	com3.exe
3412	SearchHelper.exe
3412	SearchHelper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4648	SearchHelper.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4648	1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	86
PID 1372 wrote to memory of 4648	1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	86
PID 1372 wrote to memory of 4648	1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	86
PID 1372 wrote to memory of 1536	1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	87
PID 1372 wrote to memory of 1536	1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	87
PID 1372 wrote to memory of 1536	1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	87
PID 1372 wrote to memory of 3400	1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	88
PID 1372 wrote to memory of 3400	1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	88
PID 1372 wrote to memory of 3400	1372	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	88
PID 3400 wrote to memory of 3412	3400	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	94
PID 3400 wrote to memory of 3412	3400	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	94
PID 3400 wrote to memory of 3412	3400	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	94
PID 3400 wrote to memory of 1240	3400	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	95
PID 3400 wrote to memory of 1240	3400	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	95
PID 3400 wrote to memory of 1240	3400	e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe	95
PID 1536 wrote to memory of 3868	1536	com3.exe	112
PID 1536 wrote to memory of 3868	1536	com3.exe	112
PID 1536 wrote to memory of 3868	1536	com3.exe	112

C:\Users\Admin\AppData\Local\Temp\e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4648
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3868
- C:\Users\Admin\AppData\Local\Temp\e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\e81a2def5cab4fcba77edc97d88fbd40_NeikiAnalytics.exe" silent pause
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3412
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
505KB

MD5
5ba208d63e9acfc20ce0dd8db6bc4624

SHA1
b774582b0c0c5fe3dfd36176a80731bb4ff7f899

SHA256
da1906d29978924e9daaaf4e522ee46869687edafbb28057054374ba1477684b

SHA512
54fef9765b1e58776d6b308e18c5b4e30cd4f1fc1984a1d57c14783440acdf8e9b27137535387d657fae56b4b6375156df1e7394cecedc7960351ba624ecda3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
505KB

MD5
97992d404cb875598003c9039d1209e1

SHA1
df4e69fda2ea6e9a6ac473d48378a2ecf389bc18

SHA256
2f5a9722785557956f740e5c714b39b9e5bb0d496c4837dace068aaea6548d8b

SHA512
ae4caa4b1d361ee6a46559838709203ca351b923e6700bcfeefe9681ab67bbc1ae34cf1cfddd42122e9f078e873b68bc23c76d04af676d30246dd6178910e811

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
edcdf8bea0e5bcc828f0806532e66d7d

SHA1
83d5d9fbc17c34835023d81aaa1c49795ca78b45

SHA256
85e0573e4768991ba90adabb7640f21e13c5b0ef2cb7da4aa8d919c368b204fd

SHA512
c8add4ecbe29cd7e89dba01ff0d6fb8379361e9195a0cdb5131904002032f0fbefac14c1b937dc019e46e6764165790a81d924e020ec8b4f1bd99ea6cec41ec8

Download Submit
memory/1240-85-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1240-73-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1240-62-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/1372-1-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/1372-37-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1372-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1536-93-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1536-34-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1536-39-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3400-38-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3400-49-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3400-94-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3412-74-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3412-87-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3412-72-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4648-18-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4648-61-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4648-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads